Overriding Controller Authorization in ASP.NET MVC -- Visual Studio Magazine

.NET Tips and Tricksby Peter Vogel

Overriding Controller Authorization in ASP.NET MVC

You have a Contoller class called Adminstration that only admins should use. There's about a dozen Action methods in the Controller class and they all should only be accessed by users in the Admin or SuperAdmin roles. Rather than put an Authorize attribute on each method, you can put just one on the Controller class, like this:

<Authorize(Roles:="Admin,SuperAdmin")>
Public Class AdministrationController

Did I say that all of your methods in this controller should be accessed only by the Admin and SuperAdmin users? I lied. There's one really annoying method that doesn't require this level of authorization (it just displays a list of administrators with their contact information). You could try moving it to another Controller or you could put Authorize attributes on all the methods ... or you could use OverrideAuthentication.

The OverrideAuthentication attribute lets you discard the authorization set at the Controller level. You can then follow the OverrideAuthentication attribute with whatever Authorize attribute your method actually needs.

Here's an example that lets anyone in the User role use the ListAdmins method:

<OverrideAuthentication>
<Authorize(Roles:="User")>
Public Function ListAdmins() As ActionResult

There are four other Override* attributes including one called OverrideException that lets you discard HandleError attributes set at the Controller or Global Filters level.

Posted by Peter Vogel on 07/18/2018

comments powered by Disqus

Featured

.NET-Centric Uno Platform Debuts 'Single Project' for 9 Targets

"We've reduced the complexity of project files and eliminated the need for explicit NuGet package references, separate project libraries, or 'shared' projects."
Creating Reactive Applications in .NET

In modern applications, data is being retrieved in asynchronous, real-time streams, as traditional pull requests where the clients asks for data from the server are becoming a thing of the past.
AI for GitHub Collaboration? Maybe Not So Much

No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.
Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.
.NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

Subscribe on YouTube

.NET Insight

Email Address*Country*

Please type the letters/numbers you see above.

Upcoming Training Events

0 AM

Visual Studio Live! Chicago
April 29-May 3, 2024

VSLive! 2-Day Training Seminar: Building Cloud-Ready, Resilient Systems in .NET
June 4-5, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
July 16-19, 2024

Visual Studio Live! Microsoft HQ
August 5-9, 2024

Live! 360 2-Day Hands-On Seminar: Swimming in the Lakes of Microsoft Fabric and AI - A Hands-on Experience
August 20-21, 2024

VSLive! 4-Day Hands-On Training Seminar: Hands-on with Blazor
September 17-20, 2024

VSLive! 2-Day Hands-On Training Seminar: Developing Secure ASP.NET Web Apps
September 24-25, 2024

Live! 360 Orlando
November 17-22, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
December 10-13, 2024

Free Webcasts

> More Webcasts

.NET Tips and Tricksby Peter Vogel