0

I have a problem with the FluentSecurity when the ActionNameSelectorAttribute is used on controller's action.

public static void Configure()
{
    var applicationConfiguration = DependencyResolver.Current.GetService<IApplicationConfiguration>();
    var superUserGroupName = applicationConfiguration.GetSuperUserGroupName();
    var userGroupName = applicationConfiguration.GetUserGroupName();

    var securityConfiguration = SecurityConfigurator.Configure(configuration =>
                                   {
                                       configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
                                       configuration.GetRolesFrom(System.Web.Security.Roles.GetRolesForUser);

                                       configuration.ForAllControllers().DenyAnonymousAccess().CachePerHttpRequest();
                                       configuration.ForAllControllers().RequireAnyRole(superUserGroupName).CachePerHttpRequest();
                                       configuration.For<Elmah.Mvc.ElmahController>().RequireAnyRole(userGroupName).CachePerHttpRequest();

                                       configuration.ApplyProfile<ProjectSecurityProfile>();
                                       configuration.ApplyProfile<ProjectsSecurityProfile>();
                                       configuration.ApplyProfile<RewecoSecurityProfile>();

                                       configuration.DefaultPolicyViolationHandlerIs(() => new HttpUnauthorizedPolicyViolationHandler());
                                   });
    securityConfiguration.AssertAllActionsAreConfigured();
}

When I run the application under the configuration above with the AssertAllActionsAreConfigured everything seems to be correct, no exceptions. But as soon as I call the action methods in the ActualHoursAssignmentController where the HttpParamAction is used , which is the class which inherits from ActionNameSelectorAttribute I get the exception.

Security has not been configured for controller PDATA.Web.Controllers.ActualHoursAssignmentController, action ActionChoiceByNameAttributeValue Area: (not set) Controller: ActualHoursAssignment Action: ActionChoiceByNameAttributeValue

public class HttpParamActionAttribute : ActionNameSelectorAttribute
{
    public static string ActionChoiceByNameAttributeValue
    {
        get { return "ActionChoiceByNameAttributeValue"; }
    }

    public override bool IsValidName([NotNull] ControllerContext controllerContext, 
                                     [NotNull] string actionName, [NotNull] MethodInfo methodInfo)
    {
        if (controllerContext == null)
        {
            throw new ArgumentNullException("controllerContext");
        }

        if (actionName == null)
        {
            throw new ArgumentNullException("actionName");
        }

        if (methodInfo == null)
        {
            throw new ArgumentNullException("methodInfo");
        }

        if (String.IsNullOrWhiteSpace(actionName))
        {
            throw new ArgumentException("actionName");
        }

        if (String.IsNullOrWhiteSpace(methodInfo.Name))
        {
            throw new ArgumentException("methodInfo.Name");
        }

        if (actionName.Equals(methodInfo.Name, StringComparison.InvariantCultureIgnoreCase))
            return true;

        if (!actionName.Equals(ActionChoiceByNameAttributeValue, StringComparison.InvariantCultureIgnoreCase))
            return false;

        var request = controllerContext.RequestContext.HttpContext.Request;
        return request[methodInfo.Name] != null;
    }
}

Usage of HttpParamAction attribute in ActualHoursAssignmentController

public class ActualHoursAssignmentController : PdataBaseController
{
    [HttpParamAction]
    [HttpPost]
    public ActionResult UpdateAssignment(ActualHoursAssignmentViewModel vm)
    {

    }

    [HttpParamAction]
    [HttpPost]
    public ActionResult DeleteAssignment(ActualHoursAssignmentViewModel vm)
    {

    }
}

UPDATE: Because I didn't find the solution I temporary eliminate of usage HttpParamActionAttribute. Instead of that I'm using this solution to call multiple buttons in the one Form, but the question persists, maybe it is a bug.

Community
  • 1
  • 1
Anton Kalcik
  • 2,107
  • 1
  • 25
  • 43

1 Answers1

0

It looks like there is an issue in older versions of FluentSecurity with supporting Controller inheritance, see:

https://github.com/kristofferahl/FluentSecurity/wiki/Securing-controllers#securing-controllers-based-on-inheritance

Justin Harvey
  • 14,446
  • 2
  • 27
  • 30