MinchMeister MinchMeister - 25 days ago 26
C# Question

asp.net mvc5 custom authorization on HttpPost

If the HttpGet action method has an authorization filter, does the corresponding HttpPost need one as well? The HttpPost action method is protected with a ValidateAntiForgeryToken and data bind. Any user must be authenticated via ldap.

[HttpGet]
[CustomAuthorization("Admin", "User")]
public ViewResult MyMethod(){}


[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult MyMethod([Bind(Include = "Vars")] Model model){}

Answer

The filter attribute that you have works on a method. It does not have any affect on other methods. You can put an attribute on the class as well, then it will affect all of the methods (at least ordinary Authorize attribute works this way, so I am almost certain it's the case for this one as well).

ValidateAntiForgeryToken does nothing with authentication. It just verifies that a token from HTML is equal to the token from the cookie. You can read more about it, but basically it is to protect against CSRF attack, not to authenticate users.

Comments