.NET Tips and Tricksby Peter Vogel

Blog archive

Overriding Controller Authorization in ASP.NET MVC

You have a Contoller class called Adminstration that only admins should use. There's about a dozen Action methods in the Controller class and they all should only be accessed by users in the Admin or SuperAdmin roles. Rather than put an Authorize attribute on each method, you can put just one on the Controller class, like this: 

<Authorize(Roles:="Admin,SuperAdmin")>
Public Class AdministrationController

Did I say that all of your methods in this controller should be accessed only by the Admin and SuperAdmin users? I lied. There's one really annoying method that doesn't require this level of authorization (it just displays a list of administrators with their contact information). You could try moving it to another Controller or you could put Authorize attributes on all the methods ... or you could use OverrideAuthentication.

The OverrideAuthentication attribute lets you discard the authorization set at the Controller level. You can then follow the OverrideAuthentication attribute with whatever Authorize attribute your method actually needs.

Here's an example that lets anyone in the User role use the ListAdmins method: 

<OverrideAuthentication>
<Authorize(Roles:="User")>
Public Function ListAdmins() As ActionResult

There are four other Override* attributes including one called OverrideException that lets you discard HandleError attributes set at the Controller or Global Filters level.

Posted by Peter Vogel on 07/18/2018


comments powered by Disqus

Featured

  • IDE Irony: Coding Errors Cause 'Critical' Vulnerability in Visual Studio

    In a larger-than-normal Patch Tuesday, Microsoft warned of a "critical" vulnerability in Visual Studio that should be fixed immediately if automatic patching isn't enabled, ironically caused by coding errors.

  • Building Blazor Applications

    A trio of Blazor experts will conduct a full-day workshop for devs to learn everything about the tech a a March developer conference in Las Vegas keynoted by Microsoft execs and featuring many Microsoft devs.

  • Gradient Boosting Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the gradient boosting regression technique, where the goal is to predict a single numeric value. Compared to existing library implementations of gradient boosting regression, a from-scratch implementation allows much easier customization and integration with other .NET systems.

  • Microsoft Execs to Tackle AI and Cloud in Dev Conference Keynotes

    AI unsurprisingly is all over keynotes that Microsoft execs will helm to kick off the Visual Studio Live! developer conference in Las Vegas, March 10-14, which the company described as "a must-attend event."

  • Copilot Agentic AI Dev Environment Opens Up to All

    Microsoft removed waitlist restrictions for some of its most advanced GenAI tech, Copilot Workspace, recently made available as a technical preview.

Most   Popular

Subscribe on YouTube