Rules

Secret ingredients to quality software

Edit
Info

Do you use the Authorize attribute to secure actions or controllers?

Created on 07 Mar 2013 | Last updated by Tiago Araujo on 02 Mar 2017 07:50 PM (about 4 years ago)

ASP.NET MVC provides the AuthorizeAttribute which ensures there is a logged in user before it will execute an action. You can also provide parameters to restrict actions or controllers to only be accessible to certain roles or users. This is a better solution than checking whether a logged-in user exists in code as the authorisation itself doesn’t need to be repeated.

public ActionResult Delete(string tagName)
{
    if (!Request.RequestContext.HttpContext.User.IsInRole("CanDeleteTags"))
    {
        return new System.Web.Mvc.HttpUnauthorizedResult();
    }
    // delete view
    return View();
}

Figure: Bad Example – Checking for an appropriate role in code leads to repetition

[Authorize(Roles = "CanDeleteTags")]
public ActionResult Delete(string tagName)
{
    // ...delete tag
    return View();
}

Figure: Good Example – Using the Authorize attribute to check for appropriate roles

Damian BradyDamian Brady

We open source. This page is on GitHub