Geeks With Blogs
AzamSharp Some day I will know everything. I hope that day never comes.

Today, I was playing around with ASP.NET MVC Framework when I came to an interesting situation. I was displaying Categories from the Northwind database as ActionLinks. When clicked on the link it will popup a confirmation box asking whether you want to delete the item or not. Here is the code to display the link and the confirmation box:

 <% foreach (var category in ViewData)
       { %>
    <%= Html.ActionLink<CategoryController>(c => c.Delete(, category.CategoryName, new { onclick = "return confirmDelete(" + +")" })%>
        <br />
        <% } %>

function confirmDelete(id)
    return confirm("Are you sure you want to delete?");       

You don't need to define a separate function for confirmDelete but anyways!

The HTML code generated for this particular page (The Category List Page) is shown below:

<a href="/Category/Delete/1" onclick="return confirmDelete(1)" >Beverages Edite</a>
        <br />
        <a href="/Category/Delete/2" onclick="return confirmDelete(2)" >Condiments</a>

        <br />
        <a href="/Category/Delete/3" onclick="return confirmDelete(3)" >Confections</a>
        <br />
        <a href="/Category/Delete/4" onclick="return confirmDelete(4)" >Dairy Products</a>
        <br />
        <a href="/Category/Delete/5" onclick="return confirmDelete(5)" >Grains/Cereals</a>
        <br />

The above generated HTML code shows that Category/Delete/1 will delete the item with the id = 1. This means if I browse to the http://localhost:[portnumber]/Category/Delete/1 then the Item with the id = 1 will be deleted. But this opens a security hole since now anyone can type the URL with the id and delete the items. One way to solve this problem is by using the attribute based security as shown on this post. But then you will have to decorate your actions with the security attribute which is not a good idea.

Another way is to override the OnPreAction attribute which is fired before the action is fired. I created a BaseController and inherited all my controllers from the BaseController. This way the OnPreAction is fired for each controller.

public class BaseController : Controller
        public BaseController()


        protected override bool OnPreAction(string actionName, System.Reflection.MethodInfo methodInfo)
            string controllerName =  methodInfo.DeclaringType.Name;
            if(!IsAuthenticated(controllerName,actionName)) throw new SecurityException("not authenticated");

            return base.OnPreAction(actionName, methodInfo);

        private bool IsAuthenticated(string controllerName, string actionName)
            System.Web.HttpContext context = System.Web.HttpContext.Current;

            XDocument xDoc = null;

            if (context.Cache["ControllerActionsSecurity"] == null)
                xDoc =  XDocument.Load(context.Server.MapPath("~/ControllerActionsSecurity.xml"));

            xDoc = (XDocument) context.Cache["ControllerActionsSecurity"];
            IEnumerable<XElement> elements = xDoc.Element("ControllerSecurity").Elements();

            var role = (from e in elements
                        where ((string)e.Attribute("controllerName")) == controllerName
                        && ((string)e.Attribute("actionName")) == actionName
                        select new { RoleName = e.Attribute("Roles").Value }).SingleOrDefault();

            if (role == null) return true;

            if (!User.IsInRole(role.RoleName))
                    return false;

            return true;


I have created a ControllerActionsSecurity.XML file which stores the controllers, actions and roles allowed to fire the action.

  <add controllerName="CategoryController" actionName="Delete" Roles="Admin" />

Now, when you request for the /Category/Delete/1 your request will be denied if you are not of the Admin role. This way you will protect the controllers from firing restricted actions.       

Posted on Sunday, February 24, 2008 4:06 PM | Back to top

Comments on this post: ASP.NET MVC Controller And Action Role Authentication

# re: ASP.NET MVC Controller And Action Role Authentication
Requesting Gravatar...
Hi Mohammad,

Thanks for this. It certainly looks like a clean and elegant solution. You could, if required, replace the call to the XML file with a db read to read security data from a db-based permission store.

I'm just wondering if you could post a sample of your ControllerActionsSecurity.xml?

Thanks again.
Left by Richard on Feb 28, 2008 11:11 AM

# re: ASP.NET MVC Controller And Action Role Authentication
Requesting Gravatar...
The structure of the ControllerActionSecurity.xml is included in the above post. Right at the bottom.
Left by Mohammad Azam on Feb 29, 2008 3:36 AM

Your comment:
 (will show your gravatar)

Copyright © Mohammad Azam | Powered by: