0

I have added the Authentication attribute on controller classes which are for admin purposes like adding, removing categories and product. All such controllers(ManageCategory, ManageProduct) are decorated with following :-

[Authorize(Roles = "Administrator")]

These controllers have Upload and Remove action methods which are invoked by jquery from the rendered view. Since client script don't use the URL or postback, I am bit skeptical if someone can bypass the controller authorization. These action methods are very sensitive because it provides the ability to remove a file on server. Following is the code from Remove action method.

[HttpPost]
public ActionResult Remove(string fileName)
{
    string completFileName = Server.MapPath("~" + fileName);
    System.IO.File.Delete(completFileName);
    return Json(true);
}

Though this action method resides in a Controller with Authorization, Can someone still reach it without logging-in. Should i be worried and do something else or one will always need to be authorized as administrator before accessing this ?.

Improve this question
4
  • That's a question of whether you trust ASP.NET MVC's Authorize construct for controllers. The answer is either "trust them" or go read their source Commented Dec 13, 2011 at 13:12
  • @Raynos I see you are an expert in javascript and jquery. Can you access this action method on my website via some script injection and delete a file ?? Commented Dec 13, 2011 at 13:17
  • I don't know, I can certainly try, whether the Remove method would be invoked depends 100% on how Authorize works. So basically, if you don't trust it go confirm it works correctly by reading the source Commented Dec 13, 2011 at 13:20
  • I invoked the upload action method from another view after logging out and got the HTTP Error. Commented Dec 13, 2011 at 13:33

2 Answers 2

Reset to default
3

I'm not sure what you mean by..

Since client script don't use the URL or postback

AJAX requests from client script send cookies just the same as regular page requests - have a look at the headers of an AJAX request using Firebug or Fiddler or some such tool.

This includes the .ASPXAUTH cookie which standard ASP.NET authentication uses. The controller will perform exactly the same authentication checks on an AJAX request as it would on a normal page request.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Controller level attributes are applied to all actions in that controller, so Upload() and Remove() will behave as though they are decorated with:

[Authorize(Roles = "Administrator")]
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.