1

I've tagged my controller with an authority annotation but would like to exempt one of the methods... can that be done? how?

[Authorize(Roles="Admin")]
public class ProductController : Controller
{
    [DEAUTHORIZE]
    public ActionResult Start(int it)
    { ... }
ekkis
  • 9,804
  • 13
  • 55
  • 105

2 Answers2

4

In MVC 4 was introduced AllowAnonymousAttribute which tells action invoker to skip AuthorizeAttribute.

[AllowAnonymous]
Lukáš Kotrba
  • 826
  • 7
  • 5
2

No, this can't be done. The standard way to achieve this is to simply move the Start action out in a separate controller. Another possibility consists into building a custom IFilterProvider which will apply the authorization attribute conditionally instead of baking it manually into the ProductController. For example NInject uses this and provides a pretty fluent syntax into configuring action filters. You can conditionally apply them based on the current context.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928