Authorize one action in a controller but don't require a role

asp.net-mvc roles authorize
BYoung picture BYoung · Jul 10, 2013 · Viewed 7k times · Source

I have a Product controller the required role of "product_editor" to access most of the methods. there are a few actions that don't require authorization so [AllowAnonymous] works great. However, I have one action i would like to require they are logged in but they may not be a product editor.

Is there a simple way to declare this for the one action?

you can see a couple of my attempts commented out

[Authorize(Roles = "product_editor")]
public class ProductController : Controller
{
    #region Public Actions
    [AllowAnonymous]
    public ActionResult Search(string keyword...

    [AllowAnonymous]
    public ActionResult Details(string id...
    #endregion

    //[Authorize]
    //[Authorize(Roles="")]
    public ActionResult AuthorizedDownload(long id, string step)
    {
        SecureDownloadLink link = SecureDownloadLink.Load(id);
        if(link.belongsTo(HttpContext.Current.User.Identity.Name))
        {
            //Allow download
        }
        else
        {
            //Return 404 Error
        }
    }
}

--Edit--

Found a working solution but would love an attribute based solution since the rest of my authentication is done in attributes and the [AllowAnonymous] is a bit misleading.

[AllowAnonymous]
public ActionResult AuthorizedDownload(long id, string step)
{
    if (!User.Identity.IsAuthenticated)
        return RedirectToAction("Login", "Account", new { ReturnUrl = Request.Url.LocalPath });
....
}

Answer

Darin Dimitrov picture Darin Dimitrov · Jul 10, 2013

I don't think there's a simple way to achieve that, other than explicitly specifying the Authorize attribute explicitly on each controller action:

public class ProductController : Controller
{
    #region Public Actions
    [AllowAnonymous]
    public ActionResult Search(string keyword...

    [AllowAnonymous]
    public ActionResult Details(string id...
    #endregion

    [Authorize]
    public ActionResult AuthorizedDownload(long id, string step)
    {
        SecureDownloadLink link = SecureDownloadLink.Load(id);
        if(link.belongsTo(HttpContext.Current.User.Identity.Name))
        {
            //Allow download
        }
        else
        {
            //Return 404 Error
        }
    }

    [Authorize(Roles = "product_editor")]
    public ActionResult SomeOtherAction()
    {
        ...
    }
}

or if you have many actions, another possibility is to move the action that differs in a separate controller.

Related questions

Allow multiple roles to access controller action

Right now I decorate a method like this to allow "members" to access my controller action [Authorize(Roles="members")] How do I allow more than one role? For example the following does not work but it shows what I am …

Read More
asp.net identity get all roles of logged in user

I created a role based menu for which I followed this tutorial. Some where down that page you'll see this line of code: String[] roles = Roles.GetRolesForUser(); It returns all roles of the currently logged in user. I was wondering …

Read More
ASP.NET MVC Roles Authorization

I want to make the roles default for my controller class to "Administrators, Content Editors" [Authorize(Roles = "Administrators, Content Editor")] I've done this by adorning the controller with the attribute above. However, there is one action that I want to …

Read More