3

Is it possible to implement object-level security with a custom ActionFilterAttribute?

I read Branislav Abadjimarinov's answer to Get permission from Authorize Attribute? and started thinking about making an AuthorizeAttribute-like action filter for implementing object-level security.

Suppose I were to call it ObjectAuthorizeAttribute with the intended usage:

[ObjectAuthorize]
public ActionResult Edit(int id)
{
    //...

What would be the easiest way to access the ID value within OnActionExecuting?

Is something like this already available?

Improve this question

2 Answers 2

Reset to default
2

You can extend the AuthorizeAttribute and have access to things like RouteData via the AuthorizationContext. If you are doing authorization I think it makes more sense to start from the AuthorizeAttribute rather than ActionFilterAttribute.

var id = filterContext.RouteData.Values["id"];
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I was wrong. Even though Values is a dictionary from strings to objects, RouteData.Values["id"] is still a string in my case even though I specify int id in the method signature. Regardless, your mentioning the RouteData property was extremely helpful.
1 
var id = filterContext.HttpContext.Request["id"];
Improve this answer

1 Comment

This will work for Edit?id=1 but not for Edit/1, which is usually the same page in MVC.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.