How to prevent executing of specific custom action filter

Question

I have an custom action filter like this :

public class MySecurityTest : ActionFilterAttribut{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        //Do some security tests
        base.OnActionExecuting(filterContext);
    }
}

I add this to FilterConfig for all the actions.but I need some actions work without it. for now I use something like this :

public class MySecurityTest : ActionFilterAttribute
{
    public bool CheckRules { get; set; }

    public MySecurityTest(bool checkRules = true)
    {
        CheckRules = checkRules;
    }
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if (CheckRules)
        {
            //Do some security tests   
        }
        base.OnActionExecuting(filterContext);
    }
}

and the usage :

[MySecurityTest(false)]
public ActionResult Index()
{
   return View();
}

but how can build something like [AllowAnonymous] attribute

best regards

Answer 1

You simply need to make another attribute and use .NET reflection to check for its existence.

public override void OnActionExecuting(ActionExecutingContext filterContext)
{
    if (!HasMyIgnoreAttribute(filterContext))
    {
        //Do some security tests   
    }
    base.OnActionExecuting(filterContext);
}

public bool HasMyIgnoreAttribute(ActionDescriptor actionDescriptor)
{
    // Check if the attribute exists on the action method
    bool existsOnMethod = actionDescriptor.IsDefined(typeof(MyIgnoreAttribute), false);

    if (existsOnMethod)
    {
        return true;
    }

    // Check if the attribute exists on the controller
    return actionDescriptor.ControllerDescriptor.IsDefined(typeof(MyIgnoreAttribute), false);
}

And then make a custom attribute to decorate your actions/controllers with.

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false)]
public class MyIgnoreAttribute : Attribute
{
}

Usage

[MySecurity]
public class MyController
{
    [MyIgnore]
    public ActionResult Index()
    {
        return View();
    }

    public ActionResult About()
    {
        return View();
    }
}

In general, it is best not to use ActionFilterAttribute if you are using dependency injection, since attributes should contain no behavior as in this answer. You should also consider using an authorization filter (or AuthorizationAttribute-inherited class) rather than an action filter for security checks, since it is done earlier in the pipeline.

Answer 2

but how can build something like [AllowAnonymous] attribute

Quite easy actually:

[AttributeUsage(AttributeTargets.Method)]
public class ExcludeMySecurityAttribute : Attribute
{
}

and then in your filter account for it:

public class MySecurityTest : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(ExcludeMySecurityAttribute), true).Any())
        {
            // The controller action is decorated with the exclude attribute
            // so you should probably do nothing here
        }
        else
        {
            // Do your security tests here
        }
    }
}

Now all that's left is decorate:

[ExcludeMySecurity]
public ActionResult Index()
{
   return View();
}