Archives

Archives / 2011 / April
  • Dumping DataTable to debug window

    Here’s one little method I use to write out debug information when investigating some new (legacy but new to me) system. Usually I remove this method later when I know how code works. It’s maybe not the best way to debug things but it works like charm in many situations.

    Read more...

  • ASP.NET MVC: Defining short URL-s for root level pages

    Short URL-s are more and more important part of page usability as mobile internet is growing. Long URL-s are not convenient to type due to small keyboards and screens of mobile devices. Also short URL-s are easier to remember and using well chosen short URL-s your pages may also get better rankings in search engines indexes. In this posting I will show you how to create short URL-s for ASP.NET MVC pages.

    Read more...

  • ASP.NET MVC 3: Intranet Application template

    ASP.NET MVC 3 Tools Update introduced new project template called Intranet Application.  The main difference between internet and intranet application templates is the way how users are authenticated. In this posting I will talk about Intranet Application template and compare it to Internet Application template. Also I will give you references to guides that help you configure your intranet application.

    Read more...

  • ASP.NET MVC: Using NonActionAttribute to restrict access to public methods of controller

     

    Public non-action methods in ASP.NET MVC controllers are source of problems because they can be called by user when not handled carefully. Same time you may need public methods on controllers for some other reasons (some UI framework, testability problems, things you cannot change etc). In this posting I will show you how to handle controller methods properly.

    Calling controller methods

    Public methods of controller are called controller actions and these actions are mapped to URL-s using routes. Take a look at the following code.


    public ActionResult Index() {    
    ViewBag.Message =
    "Welcome to ASP.NET MVC!"
    ;    
    return View(); }

    You can see here two controller methods. One of them is Index() and it is expected to be called by browser. The other one – DoInternalStuff() – is intended only for internal use.


    public void DoInternalStuff()
    {
         Response.Write(
    "We are doing internal stuff here!");
         Response.End();
    }

    Although these examples are primitive ones they let us illustrate the situation very well.

    Calling non-action method

    As you can guess then first method returns out-of-box default page that comes with ASP.NET MVC web application project. But what happens when we try to call this other method? The result is here.

    ASP.NET MVC: Calling non-action method

    We can call this method directly through browser and if it contains arguments we may be able to inject them too under certain circumstances. This is something we don’t want to happen.

    Restricting access to non-action methods

    To restrict access to non-action method you must use NonActionAttribute to notify MVC framework that given controller method is not action. The code is here:


    [NonAction]
    public void
    DoInternalStuff()
    {
         Response.Write(
    "We are doing internal stuff here!");
         Response.End();
    }

    Now when we try to run DoInternalStuff() over URL we get the error 404 as response to request.

    Conclusion

    There are situations where non-action controller methods are used and there may even exist situations where visibility of these methods cannot be changed. To avoid users to invoke those methods directly – this can be considered as security hole – we have to say MVC framework using NonActionAttribute that these methods are not controller actions.

    Read more...