“Security aware” action link?

by

This is some code poached from the MvcSitemap project and modified for my own use. If I remember correctly this code has been modified for MVC2 and some of the functions might have to be back ported to MVC1.

Its not bad practices at all to mix MVC and FormsAuthentication together, MVC’s default authentication methods are build around the existing Asp.net security infrastructure.

Code to determine if user has permissions:

public static class SecurityTrimmingExtensions 
{

    public static bool HasActionPermission( this HtmlHelper htmlHelper, string actionName, string controllerName )
    {
        //if the controller name is empty the ASP.NET convention is:
        //"we are linking to a different controller
        ControllerBase controllerToLinkTo = string.IsNullOrEmpty(controllerName) 
                                                ? htmlHelper.ViewContext.Controller
                                                : GetControllerByName(htmlHelper, controllerName);

        var controllerContext = new ControllerContext(htmlHelper.ViewContext.RequestContext, controllerToLinkTo);

        var controllerDescriptor = new ReflectedControllerDescriptor(controllerToLinkTo.GetType());

        var actionDescriptor = controllerDescriptor.FindAction(controllerContext, actionName);

        return ActionIsAuthorized(controllerContext, actionDescriptor);
    }


    private static bool ActionIsAuthorized(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
    {
        if (actionDescriptor == null)
            return false; // action does not exist so say yes - should we authorise this?!

        AuthorizationContext authContext = new AuthorizationContext(controllerContext);

        // run each auth filter until on fails
        // performance could be improved by some caching
        foreach (IAuthorizationFilter authFilter in actionDescriptor.GetFilters().AuthorizationFilters)
        {
            authFilter.OnAuthorization(authContext);

            if (authContext.Result != null)
                return false;
        }

        return true;
    }

    private static ControllerBase GetControllerByName(HtmlHelper helper, string controllerName)
    {
        // Instantiate the controller and call Execute
        IControllerFactory factory = ControllerBuilder.Current.GetControllerFactory();

        IController controller = factory.CreateController(helper.ViewContext.RequestContext, controllerName);

        if (controller == null)
        {
            throw new InvalidOperationException(

                String.Format(
                    CultureInfo.CurrentUICulture,
                    "Controller factory {0} controller {1} returned null",
                    factory.GetType(),
                    controllerName));

        }

        return (ControllerBase)controller;
    }

}

Html Helpers

public static class SecurityTrimmedLink
{
    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName)
    {
        return htmlHelper.HasActionPermission(actionName, "")
                   ? htmlHelper.ActionLink(linkName, actionName)
                   : MvcHtmlString.Create("");
    }        

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, RouteValueDictionary routeValueDictionary )
    {
        return htmlHelper.HasActionPermission(actionName, "")
                   ? htmlHelper.ActionLink(linkName, actionName, routeValueDictionary)
                   : MvcHtmlString.Create("");
    }

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, object routeValues, object htmlAttributes )
    {
        return htmlHelper.HasActionPermission(actionName, "")
                   ? htmlHelper.ActionLink(linkName, actionName, routeValues, htmlAttributes)
                   : MvcHtmlString.Create("");
    }

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, string controllerName)
    {
        return htmlHelper.HasActionPermission(actionName, controllerName)
                   ? htmlHelper.ActionLink(linkName, actionName, controllerName)
                   : MvcHtmlString.Create("");
    }

    public static MvcHtmlString SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkName, string actionName, string controllerName, object routeValues, object htmlAttributes)
    {
        return htmlHelper.HasActionPermission(actionName, controllerName)
                   ? htmlHelper.ActionLink(linkName, actionName, controllerName, routeValues, htmlAttributes)
                   : MvcHtmlString.Create("");
    }
}

Warning: This won’t work in MVC 5 because the call to FindAction() never returns an action descriptor

I tried to find the issue and couldn’t and ended up programming a work around. 🙁

More Related Contents:

  1. How and where to define an environment variable on Azure
  2. How to validate uploaded file in ASP.NET MVC?
  3. where is the best place to save images from users upload
  4. How can I get the route name in controller in ASP.NET MVC?
  5. MVC [HttpPost/HttpGet] for Action
  6. How to remove ASP.Net MVC Default HTTP Headers?
  7. Fat model / thin controller vs. Service layer [closed]
  8. Customizing authorization in ASP.NET MVC
  9. How to pass parameters to a partial view in ASP.NET MVC?
  10. What ‘sensitive information’ could be disclosed when setting JsonRequestBehavior to AllowGet
  11. Asp.net core MVC post parameter always null
  12. Polymorphic model binding
  13. TempData keep() vs peek()
  14. Real example of TryUpdateModel, ASP .NET MVC 3
  15. allowDefinition=’MachineToApplication’ error when publishing from VS2010 (but only after a previous build)
  16. Razor-based view doesn’t see referenced assemblies
  17. Why is my CSS bundling not working with a bin deployed MVC4 app?
  18. ASP.NET: This method cannot be called during the application’s pre-start initialization stage
  19. Could not load file or assembly HRESULT: 0x80131515 (When adding controller to MVC project that has assembly references on network drive)
  20. MVC Routing Parameter Precedence
  21. Spring Test & Security: How to mock authentication?
  22. String URL to RouteValueDictionary
  23. How can I combine two fields in a SelectList text description?
  24. How to display an image from a path in asp.net MVC 4 and Razor view?
  25. MVC 5 Seed Users and Roles
  26. Redirecting to specified controller and action in asp.net mvc action filter
  27. MVC post a list of complex objects
  28. Overriding controller AuthorizeAttribute for just one action
  29. How can I use Html.Action?
  30. ASP.NET Web API, unexpected end of MIME multi-part stream when uploading from Flex FileReference

Leave a Comment