0

I have a controller with a custom Authroize attribute on a method:

   class ItemsController
       [MyAuthorize]
       ActionResult MyMethod()

I also use Kendo ASP.NET MVC to create a menu. Kendo provide a great feature with Security trimming where if I try to add a menu item to MyMethod, as Kendo is building the menu, it will check if the current user will have access to the MyMethod action. I don't know how this works or is done.

The issue I am running into is that my code in MyAuthorizeAttribute.AuthorizeCore() logs when a user makes a request and is not authenticated or authorized to view the requested page. This works great except when the user doesn't have access to one of the pages in the menu. Somehow Kendo triggers the MyAuthorizeAttribute.AuthorizeCore() code for the action/controller that the menu item points to. That's all fine except I don't want to log that. The user didn't make a request to the action/controller, it is just an internal check.

So my question is, is there a way for me to determine if the call to MyAuthorizeAttribute.AuthorizeCore() is a security trimming request or an actual page request?

slolife
  • 19,520
  • 20
  • 78
  • 121
  • 1
    You should have access to the `Request` in the Attribute. So depending on if you can tell the different between requests (take a look at the ajax call in chrome dev tools) then you can certainly put the same logic in the `MyAuthorize` attribute. However, I wouldn't even make it do unnecessary calls, you can use reflection to return all the valid methods available to the current user per controller pretty easily. – Erik Philips Jan 24 '18 at 23:44
  • @ErikPhilips, yes, that is what I am trying to figure out... how to differentiate between a request and a method call in this case. I suspect that the calling method in the security trimming case passes its own HttpContext. But I don't know that. – slolife Jan 25 '18 at 01:11

0 Answers0