Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Bypass or turn off [Authorize(Roles="")] during development?

Building an MVC3 application, and TPTB want us to use their custom authorization provider. However, during development this auth provider is kind of a pain, since it will either give an error til you shut down/restart the browser, or it will require you to re-log o on every compile.

For now, I just added <authentication mode="None"/> to the web.config, which works fine until I encounter an action or controller that uses the [Authorize(Roles = "Admin")] filter (it can be any role, not just Admin). When it hits one of those, it just renders a blank page.

Is there a way globally and temporarily turn these filters off? Or just give the user all roles while I'm in development?

EDIT

Let me clarify- I'm actually porting over a large app from MVC2 to MVC3. It has lots of [Authorize(Roles="Admin")] and [Authorize(Roles="Admin,Editor")] throughout it. I'd rather not change all of those if possible.

Should I just create a small custom role provider that gives all roles automatically?

like image 869
Jamie M Avatar asked Dec 07 '12 16:12

Jamie M


People also ask

What does Authorize attribute do?

The Authorize attribute is inheritable. This means that you can add it to a base controller class of yours and thereby ensure that any methods of any derived controllers are subject to authentication. NOTE: In general, any public method on a Controller class can be invoked via a valid URL.

Which filter is used to Authorize a user?

In ASP.NET MVC, by default, all the action methods are accessible to both anonymous and authenticated users. But, if you want the action methods to be available only for authenticated and authorized users, then you need to use the AuthorizationFilter in MVC.

What happens if you apply the AllowAnonymous attribute to a controller action that already uses the Authorize attribute?

If you combine [AllowAnonymous] and any [Authorize] attribute, the [Authorize] attributes are ignored. For example if you apply [AllowAnonymous] at the controller level, any [Authorize] attributes on the same controller (or on any action within it) is ignored.


2 Answers

You could write a custom Authorize filter which will not perform any checks if the request is coming from localhost:

public class MyAuthorizeAttribute : AuthorizeAttribute {     protected override bool AuthorizeCore(HttpContextBase httpContext)     {         if (httpContext.Request.Url.IsLoopback)         {             // It was a local request => authorize the guy             return true;         }          return base.AuthorizeCore(httpContext);     } } 
like image 167
Darin Dimitrov Avatar answered Sep 19 '22 20:09

Darin Dimitrov


You can inherit from AuthorizeAttribute and separate realizations with #if DEBUG directive.

public class MyAuthorizeAttribute: AuthorizeAttribute
{
#if DEBUG
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return true;
    }
#endif
}

Or #define YOUR_OWN_FLAG to turn behavior on and off in any build, debug or release.

like image 22
Anri Avatar answered Sep 20 '22 20:09

Anri