1

We're busy porting a legacy ASP.NET web forms application to MVC. Some modules are finished with their valid Authorize attributes correctly set up, but only 1 module is going live.

So we must prevent the user from navigating to different modules (which are there, but not "live" yet). We don't want to meddle with the existing Authorize attributes, but users are currently not allowing access to these modules.

Here are my thoughts and shortfalls:

  1. In Global.asax subscribe to Application_AuthenticateRequest and have a list of "Live" controllers, check the Request URL and throw and redirect to "Not Authorized page" if necessary. But how then I would would have to manually take routing into account where the URL may mysite/ could route to mysite/Foo/Bar/.

  2. Could the traditional web.config authorization be used for this scenario? (This would be easier to maintain than number 1, but the web is littered with Don't do this in MVC's)

Something like this, where Customer is the controller:

<location path="Customer">
  <system.web>
    <authorization>
      <deny users="*" />
    </authorization>
  </system.web>
</location>
  1. Alternatively take the plunge, comment out ALL the Authorize attributes from the controllers which aren't live :( hoping not to go down this route...

Any push in a better direction would be greatly appreciated.

Niels Filter
  • 4,430
  • 3
  • 28
  • 42
  • 1
    Create a key in web config where you specify a list of controllers in Beta stage. Grab that list in another attribute like BetaAuthorizationAttribute and redirect your users somewhere http://stackoverflow.com/questions/1498727/asp-net-mvc-how-to-show-unauthorized-error-on-login-page or http://stackoverflow.com/questions/20123589/how-to-restrict-access-to-certain-actions-in-controller-in-asp-net-mvc could be some reference for you – Razvan Dumitru Sep 07 '15 at 14:05
  • Thanks @RazvanDumitru, that's a fantastic idea. That would mean having to change the existing `Authorize` attributes unfortunately, but once done I can easily control access to live vs beta or controllers. – Niels Filter Sep 08 '15 at 08:20

1 Answers1

1

You could use the asp.net mvc filter on this case. 

    public class YourCustomFilter : IFilterProvider
    {
        public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
        {
            List<Filter> result = new List<Filter>();

            var routeData = controllerContext.HttpContext.Request.RequestContext.RouteData;
            var controller = routeData.GetRequiredString("controller");
            var action = routeData.GetRequiredString("action");

            if (controller != "livecontrollername" && action != "liveactionname")
            {
                result.Add(new Filter(new YourCustomAuthorizeAttribute(), FilterScope.Global, null));
            }

            return result;
        }
    }

    public class YourCustomAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
    { 
        //Do something to prevent user from accessing the controller here
    }

Then register this custom filter in Global.ascx, App_Start:

protected void Application_Start()
{
     FilterProviders.Providers.Add(new YourCustomFilter());
}
Minh Nguyen
  • 2,106
  • 1
  • 28
  • 34