Geek Answers Handbook

Can the AuthorizationAttribute attribute prevent the action from completing completely?

I have a special AuthorizationAttribute attribute that seemed to work on the surface. When a user without the correct permissions requests an action through a browser, a message is displayed.

I started applying this attribute to HttpPost actions that do things like delete. Although the answer is correct, the body of the action is still executing (in this case, the item has been deleted).

What I want to do completely prevents the action method from doing anything if the authorization attribute fails. Does it need authorized attributes, or should I look differently?

Update:

 public override void OnAuthorization(AuthorizationContext filterContext) { Check.Require(filterContext != null); if (service.HasPermission(requiredPermission)) return; filterContext.HttpContext.Response.StatusCode = 404; filterContext.HttpContext.Response.StatusDescription = "File not found"; }

The action of the controller is as follows:

 [HttpPost, RequiresPermission(Permissions.CanDeleteContentItem)] public JsonResult Delete(Guid id)
+8
c # authorization asp.net-mvc attributes
source share
1 answer

Mark my answer here , as it looks like what you are trying to accomplish.

What you need to do is change the result returned by the action, and not just change the values โ€‹โ€‹of the headers.

 public override void OnAuthorization(AuthorizationContext filterContext) { Check.Require(filterContext != null); if (service.HasPermission(requiredPermission)) return; filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "controller", "Home" }, {"action", "NoPermission" } }) }

Update

You can also do the following if you want to return the correct HTTP response:

 filterContext.Result = new HttpUnauthorizedResult();
+6
source share

Source: https://habr.com/ru/post/650603/

More articles:


All Articles