Menu
Building an MVC3 application, and TPTB want us to use their custom authorization provider. However, during development this auth provider is kind of a pain, since it will either give an error til you shut down/restart the browser, or it will require you to re-log o on every compile.
For now, I just added <authentication mode="None"/> to the web.config, which works fine until I encounter an action or controller that uses the [Authorize(Roles = "Admin")] filter (it can be any role, not just Admin). When it hits one of those, it just renders a blank page.
Is there a way globally and temporarily turn these filters off? Or just give the user all roles while I'm in development?
EDIT
Let me clarify- I'm actually porting over a large app from MVC2 to MVC3. It has lots of [Authorize(Roles="Admin")] and [Authorize(Roles="Admin,Editor")] throughout it. I'd rather not change all of those if possible.
Should I just create a small custom role provider that gives all roles automatically?
869
The Authorize attribute is inheritable. This means that you can add it to a base controller class of yours and thereby ensure that any methods of any derived controllers are subject to authentication. NOTE: In general, any public method on a Controller class can be invoked via a valid URL.
In ASP.NET MVC, by default, all the action methods are accessible to both anonymous and authenticated users. But, if you want the action methods to be available only for authenticated and authorized users, then you need to use the AuthorizationFilter in MVC.
If you combine [AllowAnonymous] and any [Authorize] attribute, the [Authorize] attributes are ignored. For example if you apply [AllowAnonymous] at the controller level, any [Authorize] attributes on the same controller (or on any action within it) is ignored.
You could write a custom Authorize filter which will not perform any checks if the request is coming from localhost:
public class MyAuthorizeAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { if (httpContext.Request.Url.IsLoopback) { // It was a local request => authorize the guy return true; } return base.AuthorizeCore(httpContext); } } You can inherit from AuthorizeAttribute and separate realizations with #if DEBUG directive.
public class MyAuthorizeAttribute: AuthorizeAttribute
{
#if DEBUG
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return true;
}
#endif
}
Or #define YOUR_OWN_FLAG to turn behavior on and off in any build, debug or release.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
