Menu
I have the following action method inside asp.net mvc5, which i define as ChildActionOnly:-
[ChildActionOnly]
public ActionResult GetChildRecords(int customerid)
and i am calling it as follow, within my view:-
<div>@Html.Action("GetChildRecords", "Customer", new {customerid = Model.CustomerID})</div>
but i have the following questions:-
do i need to add [Authorize] annotation before my child action method ? or i can be sure that since its parent is being authorized, so the child action method will be authorized also ?
can users or hackers directly calls a ChildActionOnly directly ?
could users or hackers modify the Html.Action parameters ?, for example to pass different customerid in the below html:-
@Html.Action("GetChildRecords", "Customer", new {customerid = Model.CustomerID})
?
605
The essence of the attribute [ChildActionOnly] is to ensure that it is only called using Action or RenderAction and can't be called directly from the browser.
For question 1: If the calling action already has the [Authorize] attribute, you need not worry
For question 2: hackers (or whoever) can't directly access it.
For question 3: since they can't directly call the action, i'm not sure its something to worry about. But verify at the server side at all times for whatever input you are getting (forms, query string etc).
53
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
