Bypass or turn off [Authorize(Roles="")] during development?
Building an MVC3 application, and TPTB want us to use their custom authorization provider. However, during development this auth provider is kind of a pain, since it will either give an error til you shut down/restart the browser, or it will require you to re-log o on every compile.
For now, I just added <authentication mode="None"/> to the web.config, which works fine until I encounter an action or controller that uses the [Authorize(Roles = "Admin")] filter (it can be any role, not just Admin). When it hits one of those, it just renders a blank page.
Is there a way globally and temporarily turn these filters off? Or just give the user all roles while I'm in development?
EDIT
Let me clarify- I'm actually porting over a large app from MVC2 to MVC3. It has lots of [Authorize(Roles="Admin")] and [Authorize(Roles="Admin,Editor")] throughout it. I'd rather not change all of those if possible.
Should I just create a small custom role provider that gives all roles automatically?
Answer
You could write a custom Authorize filter which will not perform any checks if the request is coming from localhost:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext.Request.Url.IsLoopback)
{
// It was a local request => authorize the guy
return true;
}
return base.AuthorizeCore(httpContext);
}
}