Geeks With Blogs

  • azamsharp The WWDC app says that there are new videos but there is nothing under videos!!! about 659 days ago
  • azamsharp Can I post my opinion on iOS 7 Beta or is it under NDA or something? about 659 days ago
  • azamsharp iOS 7 BETA installed successfully! about 659 days ago
  • azamsharp iOS 7 BETA installed! Now restoring! I am on NET10 which uses AT&T network. Hopefully 3G will still work! Lets c.. about 659 days ago
  • azamsharp The missing of button borders in Xcode 5 makes it hard to determine the clickable area. about 659 days ago
  • azamsharp I might wait for iOS to be released before I can put it on my device! Don't want a bricked or unstable device! about 659 days ago
  • azamsharp Android has many features that no one uses, number of versions that no one upgrades to and thousands of apps that no one pays for. about 659 days ago
  • azamsharp Maybe it is just me but the new iOS 7 UI looks like Windows Phone 8 UI! #maybeIamCrazy about 660 days ago
  • azamsharp Anyone using H20 network upgraded to iOS 7 BETA Keep me updated if you face any problems. about 660 days ago
  • azamsharp @merowing_ You already downloaded it! I cannot even load the developer's website! :( about 660 days ago

AzamSharp Some day I will know everything. I hope that day never comes.

Today, I was playing around with ASP.NET MVC Framework when I came to an interesting situation. I was displaying Categories from the Northwind database as ActionLinks. When clicked on the link it will popup a confirmation box asking whether you want to delete the item or not. Here is the code to display the link and the confirmation box:

 <% foreach (var category in ViewData)
       { %>
    <%= Html.ActionLink<CategoryController>(c => c.Delete(, category.CategoryName, new { onclick = "return confirmDelete(" + +")" })%>
        <br />
        <% } %>

function confirmDelete(id)
    return confirm("Are you sure you want to delete?");       

You don't need to define a separate function for confirmDelete but anyways!

The HTML code generated for this particular page (The Category List Page) is shown below:

<a href="/Category/Delete/1" onclick="return confirmDelete(1)" >Beverages Edite</a>
        <br />
        <a href="/Category/Delete/2" onclick="return confirmDelete(2)" >Condiments</a>

        <br />
        <a href="/Category/Delete/3" onclick="return confirmDelete(3)" >Confections</a>
        <br />
        <a href="/Category/Delete/4" onclick="return confirmDelete(4)" >Dairy Products</a>
        <br />
        <a href="/Category/Delete/5" onclick="return confirmDelete(5)" >Grains/Cereals</a>
        <br />

The above generated HTML code shows that Category/Delete/1 will delete the item with the id = 1. This means if I browse to the http://localhost:[portnumber]/Category/Delete/1 then the Item with the id = 1 will be deleted. But this opens a security hole since now anyone can type the URL with the id and delete the items. One way to solve this problem is by using the attribute based security as shown on this post. But then you will have to decorate your actions with the security attribute which is not a good idea.

Another way is to override the OnPreAction attribute which is fired before the action is fired. I created a BaseController and inherited all my controllers from the BaseController. This way the OnPreAction is fired for each controller.

public class BaseController : Controller
        public BaseController()


        protected override bool OnPreAction(string actionName, System.Reflection.MethodInfo methodInfo)
            string controllerName =  methodInfo.DeclaringType.Name;
            if(!IsAuthenticated(controllerName,actionName)) throw new SecurityException("not authenticated");

            return base.OnPreAction(actionName, methodInfo);

        private bool IsAuthenticated(string controllerName, string actionName)
            System.Web.HttpContext context = System.Web.HttpContext.Current;

            XDocument xDoc = null;

            if (context.Cache["ControllerActionsSecurity"] == null)
                xDoc =  XDocument.Load(context.Server.MapPath("~/ControllerActionsSecurity.xml"));

            xDoc = (XDocument) context.Cache["ControllerActionsSecurity"];
            IEnumerable<XElement> elements = xDoc.Element("ControllerSecurity").Elements();

            var role = (from e in elements
                        where ((string)e.Attribute("controllerName")) == controllerName
                        && ((string)e.Attribute("actionName")) == actionName
                        select new { RoleName = e.Attribute("Roles").Value }).SingleOrDefault();

            if (role == null) return true;

            if (!User.IsInRole(role.RoleName))
                    return false;

            return true;


I have created a ControllerActionsSecurity.XML file which stores the controllers, actions and roles allowed to fire the action.

  <add controllerName="CategoryController" actionName="Delete" Roles="Admin" />

Now, when you request for the /Category/Delete/1 your request will be denied if you are not of the Admin role. This way you will protect the controllers from firing restricted actions.       

Posted on Sunday, February 24, 2008 4:06 PM | Back to top

Comments on this post: ASP.NET MVC Controller And Action Role Authentication

# re: ASP.NET MVC Controller And Action Role Authentication
Requesting Gravatar...
Hi Mohammad,

Thanks for this. It certainly looks like a clean and elegant solution. You could, if required, replace the call to the XML file with a db read to read security data from a db-based permission store.

I'm just wondering if you could post a sample of your ControllerActionsSecurity.xml?

Thanks again.
Left by Richard on Feb 28, 2008 11:11 AM

# re: ASP.NET MVC Controller And Action Role Authentication
Requesting Gravatar...
The structure of the ControllerActionSecurity.xml is included in the above post. Right at the bottom.
Left by Mohammad Azam on Feb 29, 2008 3:36 AM

Your comment:
 (will show your gravatar)

Copyright © Mohammad Azam | Powered by: | Join free