3

I have the following action method inside asp.net mvc5, which i define as ChildActionOnly:-

[ChildActionOnly]
public ActionResult GetChildRecords(int customerid)

and i am calling it as follow, within my view:-

<div>@Html.Action("GetChildRecords", "Customer", new {customerid = Model.CustomerID})</div>

but i have the following questions:-

  1. do i need to add [Authorize] annotation before my child action method ? or i can be sure that since its parent is being authorized, so the child action method will be authorized also ?

  2. can users or hackers directly calls a ChildActionOnly directly ?

  3. could users or hackers modify the Html.Action parameters ?, for example to pass different customerid in the below html:-

@Html.Action("GetChildRecords", "Customer", new {customerid = Model.CustomerID})

?

John John
  • 1
  • 72
  • 238
  • 501

2 Answers2

3

The essence of the attribute [ChildActionOnly] is to ensure that it is only called using Action or RenderAction and can't be called directly from the browser.

For question 1: If the calling action already has the [Authorize] attribute, you need not worry

For question 2: hackers (or whoever) can't directly access it.

For question 3: since they can't directly call the action, i'm not sure its something to worry about. But verify at the server side at all times for whatever input you are getting (forms, query string etc).

scartag
  • 17,548
  • 3
  • 48
  • 52
  • thanks for the reply, but i realize something which i did not take care of ,, is that my action method is being called using ajax requests, and seems that decorating my action method with [ChildActionOnly] will not allow ajax to call it. so now i am confused because i need my action method to be called either using ajax requests or using Html.Action, but at the saem time to prevent users or hackers from calling it directly ? can u adivce if there is a way to handle this ? – John John Mar 09 '15 at 22:36
  • @johnG You can remove the `[ChildActionOnly]` and decorate the action with `[Authorize]`. And in the action either check that this customer logged in has the right to check the customerId he's providing .. or you could use a filter for that. – scartag Mar 09 '15 at 22:41
1

I agree with the answer from @scartag on questions 2 and 3:

2 - it is a child action, so it cannot be called directly

3 - an attacker could not intervene to modify the parameters as they are passed to the child action, so the initial validation in the parent action could be enough. However, this might result in poor encapsulation since some of the logic of the child action could leak into the parent.

On question 1, I think it would be good defence in depth to authorise the child action:

  • Today, it might be the case that all the parent actions are authorised, but what about in the future. What if another developer does not realise that is assumed and uses the child action on a new, unauthorised parent action? Maybe you could use code comments to reduce the chance of this, but why take a risk?
  • Depending on the complexity of your applications permissions model, the authorisation logic of the parent could be different from that of the child. Again, this might not be the case today, but might be in the future.
Mike Goodwin
  • 8,810
  • 2
  • 35
  • 50