given this route api/objects/{objectID}, this method signature Get(int objectID, ReturnObjectType type), and this url ~/api/objects/3?type=SecuredType. i want to secure this method based on whether or not the requested return type was a SecuredType. I
have a custom authorization filter which secures correctly can secure the entire request, without regard to the parameters. when I try to check the conditions on the request to determine authorization, it appears that none of the model binding has completed
-- none of the action parameters have been set, the model binder value collection is empty, etc. Have any of the "model" operations completed at this point? I can parse the querystring but i am not at all excited about having the request being parsed multiple
times.
KnightFall
Member
10 Points
3 Posts
help understanding call stack
Apr 28, 2012 06:47 PM|LINK
given this route api/objects/{objectID}, this method signature Get(int objectID, ReturnObjectType type), and this url ~/api/objects/3?type=SecuredType. i want to secure this method based on whether or not the requested return type was a SecuredType. I have a custom authorization filter which secures correctly can secure the entire request, without regard to the parameters. when I try to check the conditions on the request to determine authorization, it appears that none of the model binding has completed -- none of the action parameters have been set, the model binder value collection is empty, etc. Have any of the "model" operations completed at this point? I can parse the querystring but i am not at all excited about having the request being parsed multiple times.
Any ideas?
BrockAllen
All-Star
28052 Points
4996 Posts
MVP
Re: help understanding call stack
Apr 28, 2012 06:52 PM|LINK
Model binding happens after authorization filters.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
marcind
Contributor
3344 Points
609 Posts
Microsoft
Re: help understanding call stack
Apr 28, 2012 08:22 PM|LINK
That is true, model binding happens after all of the authorization filters have executed. You could write an action filter to handle this case.
ASP.NET Team
@marcind
Blog