Since it doesn't appear to be supported natively, what's the recommended way of implementing global filters on a per-area basis?
Asked
Active
Viewed 5,003 times
6
Robert Koritnik
- 103,639
- 52
- 277
- 404
Richard Szalay
- 83,269
- 19
- 178
- 237
-
Putting the filter on every controller of that area? :) But seriously, do you mean `ActionFilters`? – Sergi Papaseit Apr 18 '11 at 08:32
-
I do, but as of MVC 3 `ActionFilters` are a specific implementation of the broader `IFilter` – Richard Szalay Apr 18 '11 at 08:47
2 Answers
9
The reason it's not supported natively is because we want to discourage developers from doing it. Areas are not associated with controllers; they're associated with routes. We wanted to discourage developers from trying to apply authorization or other security-sensitive filters to areas since they can be bypassed.
See How can we set authorization for a whole area in ASP.NET MVC? for more information.
-
1For an MVC 4 update, see http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx – RickAndMSFT Mar 23 '12 at 23:43
-
4_"Areas are not associated with controllers"_ -- funny that I can see a controllers folder in each area. Controllers are **always** associated with an area: either the "root" area, or a custom area. So I disagree. A common example of areas is to create an "Admin" area - guess what filter you'd want to apply globally to just that area. – Quango Jan 24 '13 at 14:26
-
1@Quango Your assumption is incorrect. See also my answer to http://stackoverflow.com/questions/2319157/how-can-we-set-authorization-for-a-whole-area-in-asp-net-mvc/2320419#2320419, which demonstrates that controllers don't belong to areas. – Levi Jan 24 '13 at 20:50
-
Thanks for explaining that: I now understand what you mean better, and withdraw my previous comment. It sounds like the controller factory is being too helpful in matching stuff up. – Quango Jan 25 '13 at 08:14
