Override Authorize Attribute in ASP.NET MVC

Question

I have an MVC controller base class on which I applied the Authorize attribute since I want almost all of the controllers (and their actions along) to be authorized.

However I need to have a controller and an action of another controller unauthorized. I wanted to be able to decorate them with the [Authorize(false)] or something but this is not available.

Any ideas?

Answer 1

Edit: Since ASP.NET MVC 4 the best approach is simply to use the built-in AllowAnonymous attribute.

The answer below refers to earlier versions of ASP.NET MVC

You could create a custom authorisation attribute inheriting from the standard AuthorizeAttribute with an optional bool parameter to specify whether authorisation is required or not.

public class OptionalAuthorizeAttribute : AuthorizeAttribute {     private readonly bool _authorize;      public OptionalAuthorizeAttribute()     {         _authorize = true;     }      public OptionalAuthorizeAttribute(bool authorize)     {         _authorize = authorize;     }      protected override bool AuthorizeCore(HttpContextBase httpContext)     {         if(!_authorize)             return true;                      return base.AuthorizeCore(httpContext);     } } 

Then you can decorate your base controller with that attribute:

[OptionalAuthorize] public class ControllerBase : Controller { } 

and for any controllers you don't want authorisation simply use the override with a 'false' - e.g.

[OptionalAuthorize(false)] public class TestController : ControllerBase {     public ActionResult Index()     {         return View();     } } 

Answer 2

It seems ASP.NET MVC 4 'fixed' this by adding an AllowAnonymous attribute.

David Hayden wrote about this :

[Authorize] public class AccountController : Controller {     [AllowAnonymous]     public ActionResult Login()     {         // ...     }      // ... }