1

I'm working on an MVC Intranet site using AD authentication and I'm getting an error when a user tries a url of this format..

.../myController/view/64+

Other errors such as 

.../myController/view/aString

.../myController/view/

are all handled fine but the '64+' scenario hits the Authorize attribute, and the User.Identity is null.

Any pointers much appreciated.

controller code

[Authorize(roles="dom\\group")]
public class MyController {

    [HttpGet]
    public ActionResult View(int id)
    {
        // do stuff..

        return View(viewModel);
    }


    protected override void OnException(ExceptionContext filterContext)
    {
       // handle and log error
    }
}

the site routing is default

    public static void RegisterRoutes(RouteCollection routes)
    {
        routes.IgnoreRoute("{resource}.axd/{*pathInfo}");

        routes.MapRoute(
            name: "Default",
            url: "{controller}/{action}/{id}",
            defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional }
        );
    }
SkeetJon
  • 1,491
  • 1
  • 19
  • 40

1 Answers1

1

User.Identity is null if the user isn't logged in. As you didn't decorate your action with an Authorize attribute, this can happen.

Routing issue would prevent to hit the action at all. So I would exclude that.

bdongus
  • 658
  • 4
  • 20
  • the [Authorize] attribute is on the controller declaration itself. Authorisation works fine for all valid url and other exception cases - updated Q to show this – SkeetJon Jun 03 '16 at 10:03
  • It isn't hitting the action at all, which is why I thought it was a routing issue – SkeetJon Jun 03 '16 at 10:09
  • Okay. "64+" is interpreted as string. Your action requires an int. Therefore no route is found. – bdongus Jun 03 '16 at 10:23
  • if "64+" is a string, why wouldnt it behave as in the "aString" example.. thanks for trying to help btw :) – SkeetJon Jun 03 '16 at 12:36
  • Tried "64%2B" instead of "64+"? – bdongus Jun 03 '16 at 12:45
  • Or turn off validation with the [ValidateInput(false)] attribute. As stated here: http://stackoverflow.com/a/29612161/784725 – bdongus Jun 03 '16 at 12:52
  • I'll go with the 'it's a security feature' - users shouldn't be typing urls manually anyway, ty – SkeetJon Jun 03 '16 at 13:08