Call Mvc action olny form View

Question

I have below scenarios.

My controller check that user has proper rights and then redirect him on proper action.

All action have ChildActionOnly attribute, because these action can't be invoke directly by URL. (only user with proper rights can call invoke action)

Each action return View with special button. This button can call critical action.

In the picture I illustrate it (link is below)

http://s23.postimg.org/fmndgt5p7/mvc.jpg

My question is how can I call DeleteData Action after click a special button? and I don't want have ability to call DeleteData Action directly via URL and I don't want check user rights second time.

Nothing to do with Classic ASP. – Paul Feb 23 '15 at 09:31 — Paul, Feb 23 '15 at 09:31

score 1 · Answer 1 · answered Feb 22 '15 at 21:42

I don't want have ability to call DeleteData Action directly via URL

So, you want to send brain waves to the server? How will the server ever get the message to do the delete operation?

I don't want check user rights second time.

The fact of the matter is you are making another round trip to the server, so you must check user rights again, at least if you want to have any measure of security.

MVC doesn't provide any magic. It still depends on the stateless HTTP protocol to function. So everything that it does must communicate over that protocol. You can get fancy and make calls via AJAX so there aren't so many page loads, but every interaction with the server must make a complete round trip (request and response) to the server. There is no way to avoid that.

score 0 · Answer 2 · edited May 23 '17 at 11:53

Sounds like you are already hiding the button if they do not have permissions to delete but you would need to check the permission again when making the delete request since it would be a new request.

Delete actions should be restricted to POST only.
Why shouldn't data be modified on an HTTP GET request?

You would need to expose the delete action via a URL that only responds to POST and it would need to verify permissions again since it's a new request to the server.

It could be done with an ajax request or (Post/Redirect/Get) http://en.wikipedia.org/wiki/Post/Redirect/Get

A (Post/Redirect/Get) is shown below and prevents the user from clicking refresh and submitting the request again and it will not be in the browsers back history.

[HttpPost]
public ActionResult DeleteSomething(int entityId){
    //Delete object then redirect back to original page
    return RedirectToAction("Index")
}

Call Mvc action olny form View

2 Answers2