ASP.NET MVC Route Params Authorization

Question

My site allows people to edit posts. I want people to only edit their posts. I need an authorization attribute, for example:

[CanEditPost(PostId = Id)] ActionResult Edit(int Id) { }

But it looks like the attribute parameters should be static, which makes this impossible. Is there any way around this?

+6

asp.net-mvc asp.net-mvc-3 asp.net-mvc-routing forms-authentication

Xodarap Mar 07 '11 at 19:35

source share

1 answer

Cd .. · Accepted Answer · 2011-03-07T19:43:48+0000

Yes.

If you create an attribute that inherits from AuthorizeAttribute ,

You must have access to the route parameters:

 protected override bool AuthorizeCore(HttpContextBase httpContext) { var postId = httpContext.Request.RequestContext.RouteData.Values["Id"]; . . . }