Implementing object-level security with attributes in ASP.NET MVC

Question

Is it possible to implement object-level security with a custom ActionFilterAttribute?

I read Branislav Abadjimarinov's answer to Get permission from Authorize Attribute? and started thinking about making an AuthorizeAttribute-like action filter for implementing object-level security.

Suppose I were to call it ObjectAuthorizeAttribute with the intended usage:

[ObjectAuthorize]
public ActionResult Edit(int id)
{
    //...

What would be the easiest way to access the ID value within OnActionExecuting?

Is something like this already available?

score 2 · Accepted Answer · answered Jan 23 '11 at 16:30

2

You can extend the AuthorizeAttribute and have access to things like RouteData via the AuthorizationContext. If you are doing authorization I think it makes more sense to start from the AuthorizeAttribute rather than ActionFilterAttribute.

var id = filterContext.RouteData.Values["id"];

answered Jan 23 '11 at 16:30

tvanfosson

524,688
99
697
795

I was wrong. Even though `Values` is a dictionary from strings to objects, `RouteData.Values["id"]` is still a string in my case even though I specify `int id` in the method signature. Regardless, your mentioning the `RouteData` property was extremely helpful. – Daniel Trebbien Jan 23 '11 at 23:03

score 1 · Answer 2 · answered Jan 23 '11 at 16:28

1

var id = filterContext.HttpContext.Request["id"];

answered Jan 23 '11 at 16:28

Darin Dimitrov

1,023,142
271
3,287
2,928

2

This will work for Edit?id=1 but not for Edit/1, which is usually the same page in MVC. – Tom Clarkson Jan 24 '11 at 02:26

Implementing object-level security with attributes in ASP.NET MVC

2 Answers2