18

I want to make the roles default for my controller class to "Administrators, Content Editors"

[Authorize(Roles = "Administrators, Content Editor")]

I've done this by adorning the controller with the attribute above. However, there is one action that I want to be available to all (namely "View"). How can I reset the Roles so that everyone (including completely unauthorized users) have access for this action.

Note: I know I could adorn every single action other action with the authorize attribute above but I don't want to have to do that all the time. I want all of the controllers actions to be unacessible by default so that if anyone adds an action they have to make a considered decision to make it available to the general public.

GEOCHET
  • 21,119
  • 15
  • 74
  • 98
Mr Grok
  • 3,876
  • 5
  • 31
  • 40
  • possible duplicate of [ASP MVC Authorize all actions except a few](http://stackoverflow.com/questions/780436/asp-mvc-authorize-all-actions-except-a-few) – Matt Apr 21 '14 at 14:06
  • 1
    So are you wanting something like [http://stackoverflow.com/questions/780436](http://stackoverflow.com/questions/780436)? – dave Apr 23 '09 at 11:01
  • Yup - looks about right ... wish this was inbuilt to the std controllers but not a big effort to code for. Thanks for linking me up. – Mr Grok May 16 '09 at 11:24

3 Answers3

16

MVC4 has a new attribute exactly meant for this [AllowAnonymous]

[AllowAnonymous]
public ActionResult Register()

http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx

Simon_Weaver
  • 140,023
  • 84
  • 646
  • 689
4

You can place the Authorize attribute on the action methods. Not just at the class level.

So, move the attribute from the controller class to just the action methods you want to secure.

Kieron
  • 26,748
  • 16
  • 78
  • 122
  • 1
    Hi Kieron, thanks for the response. As the Note part of my question stated I'm aware this is possible but I want the default for the controller actions to be unaccessible without having to adorn them with the authorize attribute. – Mr Grok Apr 23 '09 at 08:26
  • I think this is the best answer. – Ronnie Overby Nov 03 '11 at 00:17
0

The only solution I can think of so far is to create and register another controller so that I have one for anonymous access, and one for authorized access but that's not quite as elegant as I would have liked.

Mr Grok
  • 3,876
  • 5
  • 31
  • 40