"Security aware" action link?

Question

How can I create a "security aware" action link that detects if a user is authorized to click (invoke) the action?
Hide link if user is not allowed to use that action...

Depending from

web.config (authorization) and
[Authorize] attributes on actions

PS
I guess it is bad practice to mix those 2 in MVC?

I combined @jfar's code with MvcSiteMapProvider to provide support for Areas. If anyone is interested, I've put what I have on CodePlex at https://authorizedactionlink.codeplex.com/. The source and a binary .NET Framework 4.0 DLL are available up there. — Bitmapped, Aug 10 '12 at 00:16

score 30 · Accepted Answer · edited Feb 18 '15 at 22:45

This is some code poached from the MvcSitemap project and modified for my own use. If I remember correctly this code has been modified for MVC2 and some of the functions might have to be back ported to MVC1.

Its not bad practices at all to mix MVC and FormsAuthentication together, MVC's default authentication methods are build around the existing Asp.net security infrastructure.

Code to determine if user has permissions:

public static class SecurityTrimmingExtensions 
{

    public static bool HasActionPermission( this HtmlHelper htmlHelper, string actionName, string controllerName )
    {
        //if the controller name is empty the ASP.NET convention is:
        //"we are linking to a different controller
        ControllerBase controllerToLinkTo = string.IsNullOrEmpty(controllerName) 
                                                ? htmlHelper.ViewContext.Controller
                                                : GetControllerByName(htmlHelper, controllerName);

        var controllerContext = new ControllerContext(htmlHelper.ViewContext.RequestContext, controllerToLinkTo);

        var controllerDescriptor = new ReflectedControllerDescriptor(controllerToLinkTo.GetType());

        var actionDescriptor = controllerDescriptor.FindAction(controllerContext, actionName);

        return ActionIsAuthorized(controllerContext, actionDescriptor);
    }


    private static bool ActionIsAuthorized(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
    {
        if (actionDescriptor == null)
            return false; // action does not exist so say yes - should we authorise this?!

        AuthorizationContext authContext = new AuthorizationContext(controllerContext);

        // run each auth filter until on fails
        // performance could be improved by some caching
        foreach (IAuthorizationFilter authFilter in actionDescriptor.GetFilters().AuthorizationFilters)
        {
            authFilter.OnAuthorization(authContext);

            if (authContext.Result != null)
                return false;
        }

        return true;
    }

    private static ControllerBase GetControllerByName(HtmlHelper helper, string controllerName)
    {
        // Instantiate the controller and call Execute
        IControllerFactory factory = ControllerBuilder.Current.GetControllerFactory();

        IController controller = factory.CreateController(helper.ViewContext.RequestContext, controllerName);

        if (controller == null)
        {
            throw new InvalidOperationException(

                String.Format(
                    CultureInfo.CurrentUICulture,
                    "Controller factory {0} controller {1} returned null",
                    factory.GetType(),
                    controllerName));

        }

        return (ControllerBase)controller;
    }

}

Html Helpers

public static class SecurityTrimmedLink
{
    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName)
    {
        return htmlHelper.HasActionPermission(actionName, "")
                   ? htmlHelper.ActionLink(linkName, actionName)
                   : MvcHtmlString.Create("");
    }        

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, RouteValueDictionary routeValueDictionary )
    {
        return htmlHelper.HasActionPermission(actionName, "")
                   ? htmlHelper.ActionLink(linkName, actionName, routeValueDictionary)
                   : MvcHtmlString.Create("");
    }

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, object routeValues, object htmlAttributes )
    {
        return htmlHelper.HasActionPermission(actionName, "")
                   ? htmlHelper.ActionLink(linkName, actionName, routeValues, htmlAttributes)
                   : MvcHtmlString.Create("");
    }

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, string controllerName)
    {
        return htmlHelper.HasActionPermission(actionName, controllerName)
                   ? htmlHelper.ActionLink(linkName, actionName, controllerName)
                   : MvcHtmlString.Create("");
    }

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, string controllerName, object routeValues, object htmlAttributes)
    {
        return htmlHelper.HasActionPermission(actionName, controllerName)
                   ? htmlHelper.ActionLink(linkName, actionName, controllerName, routeValues, htmlAttributes)
                   : MvcHtmlString.Create("");
    }
}

Warning: This won't work in MVC 5 because the call to FindAction() never returns an action descriptor

I tried to find the issue and couldn't and ended up programming a work around. :(

Can you update this answer or post a new one, when you implement caching as you mention in your code comment? :-) THANKS heaps... Or point to a blog or resource where to keep updated on this.. — Peter Gfader, Apr 27 '10 at 23:35
@Peter Gfader This is just some code that floats around my personal toolbox. So far its always been the smallest performance concern. — John Farrell, Apr 28 '10 at 01:19
Hey, I'm trying to get this to work, and it seems to have issues when using areas. Have you used this with Areas before? — Charles Boyung, Aug 25 '10 at 14:39
Yes, just change the htmlHelper.ActionLink calls and add some method overloads. — John Farrell, Aug 25 '10 at 14:44
The problem is that when it calls CreateController, I get the following error: The controller for path '[PAGE URL]' was not found or does not implement IController. This happens whenever the page I'm viewing is in an area because the area in the RequestContext doesn't match. — Charles Boyung, Aug 25 '10 at 14:51
Okay, I found a solution. The problem is that the "UseNamespaceFallback" DataToken in the route data is being set to false somewhere for some reason, so it is only searching for controllers in the current request's controller's namespace. I thought that this defaulted to null (meaning true in this situation), but I'm not setting it anywhere and the value is coming back as false, so that's the problem. — Charles Boyung, Aug 25 '10 at 15:52
To fix, I store the original value of UseNamespaceFallback in a temp variable and then set the token to true right before CreateController. Right after that, I set it back to the original value. — Charles Boyung, Aug 25 '10 at 15:53
The method private static ControllerBase GetControllerByName(HtmlHelper helper, string controllerName) does not appear to work correctly when you are using Areas and MVC3, especially if you have two controllers use the same name. — Keith Sirmons, Jun 30 '11 at 19:57
Would be great to make it work with Areas when they have controllers with the same name. — Regent, Aug 31 '11 at 13:29
I don't know what's handled by `if (controller == null)`, or if this is specific to MVC 4, but `factory.CreateController` will throw an exception if the controller does not exist. — user247702, Aug 06 '13 at 13:17

score 7 · Answer 2 · answered Dec 26 '12 at 20:14

jfar's code worked for me for the most part, but I had to make some modifications for MVC4. This is the only method that had to change:

private static bool ActionIsAuthorized(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
{
    if (actionDescriptor == null)
        return false; // action does not exist so say yes - should we authorise this?!

    AuthorizationContext authContext = new AuthorizationContext(controllerContext, actionDescriptor);

    // run each auth filter until on fails
    // performance could be improved by some caching
    foreach (var filter in FilterProviders.Providers.GetFilters(controllerContext, actionDescriptor))
    {
        var authFilter = filter.Instance as IAuthorizationFilter;

        if (authFilter == null)
            continue;

        authFilter.OnAuthorization(authContext);

        if (authContext.Result != null)
            return false;
    }

    return true;
}

Jamee · Answer 3 · 2012-03-22T10:08:09.803

The Area part is a bit more complicated than just adding some overloads. The UseNamespaceFallback hack doesn't work because you will instantiate the wrong when you have identically named controllers in different Areas.

You need to have a way to get the correct namespace for the Area

otherwise this

 IController controller = factory.CreateController(helper.ViewContext.RequestContext, controllerName);

Will go wrong.

Currently I have the links like this in the view

@Html.SecurityTrimmedActionLink("this link", "Index", "Home",new {Area=string.Empty});   
@Html.SecurityTrimmedActionLink("this link", "Index", "FunctionAdministration", new   {Area="Administration" }, null);

Inside

public static bool HasActionPermission(this HtmlHelper htmlHelper, string actionName, string controllerName, object area)

I will get the namespace for the area or the default namespace when area is empty.

private static string GetNamespaceForArea(string area, RouteCollection routeColl)
    {
        string ns = string.Empty;
        foreach (RouteBase routeBase in routeColl)
        {
            if (routeBase.GetType() == (typeof (Route)))
            {
                Route route = (Route) routeBase;
                RouteValueDictionary dataTokens = route.DataTokens;
                ;
                if (area != null)
                {
                    if (dataTokens.ContainsKey("area"))
                    {
                        if (area.Equals(dataTokens["area"]))
                        {
                            ns = (string) ((string[]) dataTokens["Namespaces"])[0];
                            break;
                        }
                    }
                    else
                    {
                        if (area.Equals(string.Empty))
                        {
                            ns = (string) ((string[]) dataTokens["Namespaces"])[0];
                            break;
                        }
                    }
                }
            }
        }
        return ns;
    }

You need to setup the default namespace in your route in globalasax for example like this (default ns "ActionLinkTest.Controllers"):

routes.MapRoute(
            "Default", // Route name
            "{controller}/{action}/{id}", // URL with parameters
            new { controller = "Home", action = "Index", id = UrlParameter.Optional } // Parameter defaults
            , new[] { "ActionLinkTest.Controllers" }
        );

use it to create the controller based on the type name:

ControllerBase controllerToLinkTo = string.IsNullOrEmpty(controllerName) ? htmlHelper.ViewContext.Controller :(ControllerBase) Activator.CreateInstance(Type.GetType(type));

in global.asax define the areas

areaRegistration.Add("Administration","Areas.Administration");

score 0 · Answer 4 · answered May 29 '19 at 18:33

In my case, I would like my logic to stay in the controller side. So I removed the dependency on HtmlHelper. The changes are minor, but it might help.

    protected bool HasActionPermission(string actionName, string controllerName)
    {
        if (string.IsNullOrWhiteSpace(controllerName))
            return false;

        var controller = GetControllerByName(ControllerContext.RequestContext, controllerName);
        var controllerDescriptor = new ReflectedControllerDescriptor(controller.GetType());
        var actionDescriptor = controllerDescriptor.FindAction(ControllerContext, actionName);
        return ActionIsAuthorized(ControllerContext, actionDescriptor);
    }

    private static bool ActionIsAuthorized(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
    {
        if (actionDescriptor == null)
            return false; // action does not exist so say yes - should we authorise this?!

        AuthorizationContext authContext = new AuthorizationContext(controllerContext, actionDescriptor);

        // run each auth filter until on fails
        // performance could be improved by some caching
        foreach (var filter in FilterProviders.Providers.GetFilters(controllerContext, actionDescriptor))
        {
            var authFilter = filter.Instance as IAuthorizationFilter;

            if (authFilter == null)
                continue;

            authFilter.OnAuthorization(authContext);

            if (authContext.Result != null)
                return false;
        }

        return true;
    }

    private static ControllerBase GetControllerByName(RequestContext context, string controllerName)
    {
        IControllerFactory factory = ControllerBuilder.Current.GetControllerFactory();

        IController controller = factory.CreateController(context, controllerName);

        if (controller == null)
        {
            throw new InvalidOperationException(

                String.Format(
                    CultureInfo.CurrentUICulture,
                    "Controller factory {0} controller {1} returned null",
                    factory.GetType(),
                    controllerName));
        }
        return (ControllerBase)controller;
    }

"Security aware" action link?

4 Answers4

Linked