ActionFilterAttribute: Where is the 'Cancel' property? - model-view-controller

Whatever happened to the Cancel property on the ActionExecutingContext? How would one abort a RenderAction when using an ActionFilterAttribute or is there another way to skin this cat?
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if(!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
return;
}
base.OnActionExecuting(filterContext);
}
The code above continues to execute the Action it has been applied to despite exiting the OnActionExecuting operation?
--- Further To original post:
Thanks for the answers below, however, I don't think I have made the context clear enough, I am trying to invalidate the following call:
<% Html.RenderAction("Menu", "Shared", new { id = Model.OtherUserId }); %>
When a user is not authenticated this action should return nothing, I could easily put an 'if' block on the view, however, I would like to keep the rule in the controller.

This worked great Mattias the result is this:
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.Result = new EmptyResult();
return;
}
base.OnActionExecuting(filterContext);
}

No, you can not cancel a rendering from a action filter. There are many reasons that you should not do that. What would the client see? A error page? Nothing?
I guess you are building a authorize action filter that would render something else if you are not signed in. There is one in the framework already (AuthorizeAttribute) that redirects you to the login page if you are not signed in. The way that they do it in the framework is to change the result that is being executed (filterContext.Result = [[new result]];). If you don't like how it works you can build your own implementation.
If you still need to cancel the rendering or something like that you will need to build your own ActionResult and do whatever logic you need in the Execute method.
-- Update --
If you want to use render action you should just put the logic in the controller and return empty result if you are not signed in (there is a action result called "EmptyResult" in the framework). That kind of logic belongs in the controller action.

Mattias and rjarmstrong already anwswer question. Here is full code for filter and controller:
public class CancelFilter : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//before execution
var id = filterContext.RequestContext.HttpContext.Request.Params["id"];
if (id == "0")
{
filterContext.Result = new EmptyResult();
return;
}
base.OnActionExecuting(filterContext);
}
public override void OnResultExecuted(ResultExecutedContext filterContext)
{
//after execution
}
}
[CancelFilter]
public class HomeController : Controller
{
public ActionResult DoSome(string id)
{
return View();
}
...
}

Related

Looking for an alternative to serializing data in controller

I am looking for a method to switch from serializing data (which I originally did using Mvc Futures) and passing it around my controller actions to something that does not use serialize. My previous implementation was for a wizard that passed data from action to action until it was submitted and the data was saved. However, I am unable to use serialization in a new project and am looking for an alternative.
Here is an example of what I did in my controller:
private MyViewModel myViewModel;
protected override void OnActionExecuting(ActionExecutingContext filterContext)
{
var serialized = Request.Form["myViewModel"];
if (serialized != null) //Form was posted containing serialized data
{
myViewModel = (MyViewModel)new MvcSerializer()
.Deserialize(serialized, SerializationMode.Signed);
TryUpdateModel(myViewModel);
}
else
myViewModel= (MyViewModel)TempData["myViewModel"] ?? new MyViewModel();
TempData.Keep();
}
protected override void OnResultExecuted(ResultExecutedContext filterContext)
{
if (filterContext.Result is RedirectToRouteResult)
TempData["myViewModel"] = myViewModel;
}
Then in some actions:
// STEP 1:
public ActionResult Step1()
{
return View(myViewModel);
}
[HttpPost]
[ActionName("Step1")]
public ActionResult Step1POST(string nextButton)
{
if ((nextButton != null) && ModelState.IsValid)
return RedirectToAction("Step2");
return View(myViewModel);
}
// STEP 2:
[Themed]
public ActionResult Step2()
{
return View(myViewModel);
}
[HttpPost]
[ActionName("Step2")]
public ActionResult Step2POST(string backButton, string nextButton)
{
if (backButton != null)
return RedirectToAction("Step1");
else if ((nextButton != null) && ModelState.IsValid)
return RedirectToAction("Step3");
return View(myViewModel);
}
My view would contain this inside the #Html.BeginForm block:
#Html.Hidden("myViewModel",
new MvcSerializer().Serialize(Model, SerializationMode.Signed))
My first thought is that I have no other alternative (other than maybe jQuery, which I also cannot use right now). In this scenario I have to figure out how to use TempData in each ActionResult, which will get messy if I have 10 or so inputs in each view.
So my question would probably be two-fold:
Is there a clean alternative to using serialize in this manner?
If there is no clean alternative and I am forced to do it in each
ActionResult, I am not sure of how to do so if, for example, I kept
it to one input view and one submit/confirm view and just wanted to
pass two values to the "Submit" step (not shown above), such as
FirstName an EMail. How might I do that using TempData?
Thanks.

Using MVC3 childactiononly attribute with ajax

I am using ajax to load a partial view in order to add/edit a row in a kendo grid. When I press an edit button in the row I want to also not allow the user to directly call the Home/AddModify action from the browser.
If I put [ChildActionOnly] to my "AddModify" action it does not let me load the partial view
because everything is in the ajax call, and I do not want to have it in the view somewhere like a #Html.Action("Home/AddModify",model). I also do not want to load it from the beginning when the page is loaded.
Can I call the partial view so it is only viewed on demand (dynamically)?
What you need is an AJAX only attribte Take a look at this question
Declare it like
public class AjaxOnlyAttribute : ActionMethodSelectorAttribute
{
public override bool IsValidForRequest(ControllerContext controllerContext, System.Reflection.MethodInfo methodInfo)
{
return controllerContext.RequestContext.HttpContext.Request.IsAjaxRequest();
}
}
and use it like
[AjaxOnly]
public ActionResult ajaxMethod()
{
}
You can use the IsAjaxRequest extension method on HttpRequestBase.
It doesn't prevent every user to call it (you cannot prevent them until it is publicly accessible) (because they can modify the headers to whatever), but for general purpose it may be good for you.
You can make an actionfilter:
public class RestrictToAjaxAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (!filterContext.HttpContext.Request.IsAjaxRequest())
{
throw new InvalidOperationException("This action is only available via ajax");
}
}
}
and put this attribute on top of your action:
[RestrictToAjax]
public ActionResult YourAction()
{
}

"user may do X is user owns object Y": Implement logic in Model Validation or Controller logic?

Consider, for example's sake, the logic "A user may only edit or delete a comment that the user has authored".
My Controller Actions will repeat the logic of checking whether the currently logged in user can affect the comment. Example
[Authorize]
public ActionResult DeleteComment(int comment_id)
{
var comment = CommentsRepository.getCommentById(comment_id);
if(comment == null)
// Cannot find comment, return bad input
return new HttpStatusCodeResult(400);
if(comment.author != User.Identity.Name)
// User not allowed to delete this comment, return Forbidden
return new HttpStatusCodeResult(403);
// Error checking passed, continue with delete action
return new HttpStatusCodeResult(200);
}
Of course, I can bundle that logic up in a method so that I'm not copy / pasting that snippet; however, taking that code out of the controller and putting it in a ValidationAttribute keeps my Action smaller and easier to write tests for. Example
public class MustBeCommentAuthorAttribute : ValidationAttribute
{
// Import attribute for Dependency Injection
[Import]
ICommentRepository CommentRepository { get; set; }
protected override ValidationResult IsValid(object value, ValidationContext validationContext)
{
int comment_id = (int)value;
var comment = CommentsRepository.getCommentById(comment_id);
if(comment == null)
return new ValidationResult("No comment with that ID");
if(comment.author != HttpContext.Current.User.Identity.Name)
return new ValidationResult("Cannot edit this comment");
// No errors
return ValidationResult.Success;
}
}
public class DeleteCommentModel
{
[MustBeCommentAuthor]
public int comment_id { get; set; }
}
Is Model Validation the right tool for this job? I like taking that concern out of the controller Action; but in this case, it may complicate things further. This is especially true when you consider that this Action is part of a RESTful API and needs to return a different HTTP Status Code depending on the Validation errors in the ModelState.
Is there "best practice" in this case?
Personally, I think that it looks nice, but you are getting carried away with annotations. I think that this does not belong in your presentation layer and it should be handled by your service layer.
I would have something on the lines of:
[Authorize]
public ActionResult DeleteComment(int comment_id)
{
try
{
var result = CommentsService.GetComment(comment_id, Auth.Username);
// Show success to the user
}
catch(Exception e)
{
// Handle by displaying relevant message to the user
}
}

MVC3 Return View By Default

Basically, I was wondering if anyone knows of a way that you can set up MVC3 in a way that it will first look for an action, and if none exists, it will automatically return the view at that location. Otherwise each time I make a page, I will have to rebuild it after adding the action.
It isn't something that's stopping the project from working nor is it an issue, it would just be a very nice thing to include in the code to help with speed of testing more than anything.
EDIT:
Just for clarity purposes, this is what I do every time I create a view that doesn't have any logic inside it:
public ActionResult ActionX()
{
return View();
}
Sometimes I will want some logic inside the action, but majority of the time for blank pages I will just want the above code.
I would like it if there was any way to always return the above code for every Controller/Action combination, UNLESS I have already made an action, then it should use the Action that I have specified.
Thanks,
Jake
Why not just create a single action for this. This will look for a view with the specified name and return a 404 if it doesn't exist.
[HttpGet]
public ActionResult Page(string page)
{
ViewEngineResult result = ViewEngines.Engines.FindView(ControllerContext, page, null);
if (result == null)
{
return HttpNotFound();
}
return View(page);
}
Then make your default route fall back to this:
routes.MapRoute("", "{page}", new { controller = "Home", action = "Page" });
So a request to http://yoursite.com/somepage will invoke Page("somepage")
I'm not altogether sure how useful this will be (or whether its really a good idea) but I guess if you have pages which are purely static content (but maybe use a layout or something so you can't use static html) it could be useful
This is how it could be done though anyway (as a base class, but it doesn't have to be)
public abstract class BaseController : Controller
{
public ActionResult Default()
{
return View();
}
protected override IActionInvoker CreateActionInvoker()
{
return new DefaultActionInvoker();
}
private class DefaultActionInvoker : ControllerActionInvoker
{
protected override ActionDescriptor FindAction(ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, string actionName)
{
var actionDescriptor = base.FindAction(controllerContext, controllerDescriptor, actionName);
if (actionDescriptor == null)
actionDescriptor = base.FindAction(controllerContext, controllerDescriptor, "Default");
return actionDescriptor;
}
}
}

Custom AuthorizeAttribute works on controller but not method

I created a custom AuthorizeAttribute:
public AjaxAwareAuthorizeAttribute : AuthorizeAttribute {
public override void OnAuthorization(AuthorizationContext filterContext) {
base.OnAuthorization(filterContext);
if(filterContext.Result is HttpUnauthorizedResult && filterContext.HttpContext.Request.IsAjaxRequest()) {
filterContext.HttpContext.Items["RequestWasNotAuthorized"] = true;
}
}
}
When I apply this to a Controller Class the OnAuthorization event is fired and the handler above is executed as expected but when it is applied to any method within a controller, nothing happens !?
I'd like to give Robotsushi the credit here but he didn't respond with an Answer.
The real problem with my code was in the CustomFilterAttributeFilterProvider code.
protected override IEnumerable<FilterAttributes> GetActionAttributes(ControllerContext controllerContext, ActionDescriptor actionDescriptor) {
//incorrect code
//var attributes = base.GetControllerAction(controllerContext, actionDescriptor);
//correct code
var attributes = base.GetActionAttributes(controllerContext, actionDescriptor);
Robotsushi is on to something here!
I have the following in my bootstrapping code:
var oldProvider = FilterProviders.Providers.Single(f => f is FilterAttributeFilterProvider);
FilterProviders.Providers.Remove(oldProvider);
var newProvider = new CustomFilterAttributeFilterProvider(kernel);
FilterProviders.Providers.Add(newProvider);
This was code I added after adding the custom attribute. When I remove these lines of code then the attribute fires as expected.

Resources