Home / Community & Support / Developer Productivity Tools Forums / Telerik MVC Extensions (superseded) > Menu > custom AuthorizeAttribute causing menu items to be hidden

• Patrick Barranis

  Posted on Mar 5, 2010 (permalink)

  Hi.  I've implemented a custom authorization attribute that inherits AuthorizeAttribute.  When I use the AuthorizeAttribute on an Action in my controller, if I reference the same action in my Telerik Menu it appears fine on the website.

  
  

  However, if I use my custom attribute (source code below), on either the Controller definition (at the top) or on the Action method itself then the item disappears from my menu.

  
  

  I never would have expected the Telerik Menus to automatically try to check AuthorizeAttributes and hide items dynamically - I love it!  This is a great feature, but unfortunately it's not working for me.  Here's the source from my custom attribute:

  
  

  Public Class MutiSiteAuthorizeAttribute

  Inherits AuthorizeAttribute

  Private _rightNeeded As Rights = Rights.LoginToWebsite

  Public Sub New(ByVal right As Rights)

  _rightNeeded = right

  End Sub

  Protected Overrides Function AuthorizeCore(ByVal httpContext As System.Web.HttpContextBase) As Boolean

  If Not httpContext.User.Identity.IsAuthenticated Then

  Return False

  End If

  Return BLL.Roles.UserCan(_rightNeeded, httpContext.User)

  End Function

  End Class

  
  

  I'm running Telerik MVC 2010.1.218.235, Microsoft MVC 2 RC2 on VS 2008SP1 (On Win7 Enterprise & with the ASP.NET Development Server).  I'm also running on old Coke, not new Coke :)

  
  

  Many thanks in advance!

• Kazi Manzur Rashid Kazi Manzur Rashid

  Posted on Mar 9, 2010 (permalink)

  Hello Patrick Barranis,
  
  Would you please elaborate a bit more. I mean what is your expected behavior it should show or hide the menu item?
  
  Best wishes,
  Kazi Manzur Rashid
  the Telerik team

  
  Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

• Patrick Barranis

  Posted on Mar 9, 2010 (permalink)

  Hi Kazi.  I'm sorry - I was a bit unclear.  Based on the fact that the item disappeared I was assuming that the intended design, by Telerik, was that the item would show or hide based on the role of the user that's logged in.  However, that's just an educated guess.

  
  

  If the control is not designed to automatically hide items that the user doesn't have permission to access, then I would simply expect that the item in the menu is always visible.  I would not have expected that the item suddenly disappear when I added the attribute.

  
  

  In either case the item shouldn't have disappeared.  The user logged-in has the necessary rights to perform that action, and if I type the URL manually into the browser, the action runs successfully without a security exception.

  
  

  Thanks,

  Patrick

• Kazi Manzur Rashid Kazi Manzur Rashid

  Posted on Mar 9, 2010 (permalink)

  Hi Patrick Barranis,
  
  Yes you are correct, it is designed in a way that the item will hide if the user does not have the permission.
  
  When rendering the navigational components like menu/tree/panelbar/tab we check whether the associated action does have the permission. The Action or Controller are decorated with Authorize attribute so typing directly to that Url willl result same security exception.
  
  All the best,
  Kazi Manzur Rashid
  the Telerik team

  
  Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

• Patrick Barranis

  Posted on Mar 10, 2010 (permalink)

  Hi Kazi,

  
  

  I think it's great that this feature exists; I really like the idea.

  
  

  However, clearly it's not functioning properly for me.  If I access the URL directly a security exception does not get thrown, yet the item/action still disappears from the menu.  Can you help me out?

  
  

  Thanks,

  Patrick

  
  

  PS - Due to a unrelated support ticket I have ongoing, I just tested version 2010.1.309, which I'm told is basically RTW for Q1, and the problem wasn't fixed by running that version either.

• Kazi Manzur Rashid Kazi Manzur Rashid

  Posted on Mar 10, 2010 (permalink)

  Hello Patrick Barranis,
  
  Ok can you please describe the exact case, I mean where did you put the MutiSiteAuthorizeAttribute that you described below, in action method or the whole controller, does any other authorization attribute also involved? You can just post the signature of the controller as well as the sitemap defination.
  
  Kind regards,
  Kazi Manzur Rashid
  the Telerik team

  
  Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

• Patrick Barranis

  Posted on Mar 12, 2010 (permalink)

  Hi Kazi,

  
  

  Have you tried putting this attribute into a demo or sample site on your end?  I finally did that here, and it failed immediately.  It turns out I was able to learn something that should help you find the problem pretty quickly: If I add an empty constructor to the attribute it works fine.  If there's no empty constructor, none of the constructors even get called by the Telerik code.

  
  

  For now I'll leave an empty constructor in our code just for the Telerik Menu to use, but I hope this will get fixed for the next release.

  
  

  Thanks,

  Patrick

• Patrick Barranis

  Posted on Mar 12, 2010 (permalink)

  I was wrong... it doesn't work fine if I make a default, empty constructor.  Only the default constructor gets called, so whatever I return for that default case is what always gets returned.

  
  

  Here's the sample attribute I made to test in an empty project:

  Public Class MutiSiteAuthorizeAttribute

  Inherits AuthorizeAttribute

  Private val As String

  Public Sub New()

  val = "qwerty"

  End Sub

  Public Sub New(ByVal right As String)

  val = right

  End Sub

  Protected Overrides Function AuthorizeCore(ByVal httpContext As System.Web.HttpContextBase) As Boolean

  Return val = "asdf"

  End Function

  End Class

  
  

  As you can see, it's designed to fail if the default constructor is called.  If, however, the "normal" constructor is called with "asdf" it will return True.

  
  

  And here's how I decorated the Home -> About action in a completely empty, default MVC project:

  
  

  <MutiSiteAuthorize("asdf")> _

  Function About() As ActionResult

  Return View()

  End Function

  
  

  The Telerik Menu I placed on the page never shows the "About" menu item.  If I set breakpoints, the default constructor is the only one that gets called (ever).  Yes if I type in the url http://localhost/Home/About, the page renders fine.

  
  

  I've tested my real website similarly and I get exactly the same results.  I have even checked that if I'm logged in under a user that shouldn't get to some pages I can type in the URL manually and I get kicked to the login page, but if I'm logged in under a user that can get to any page then typing in the URL works fine.

  
  

  Let me know if you want my copy of this test project, however, all my changes are in the code blocks above.

  
  

  Thanks,

  Patrick

• Kazi Manzur Rashid Kazi Manzur Rashid

  Posted on Mar 12, 2010 (permalink)

  Hello Patrick Barranis,
  
  Yes you are absolutly correct, we do not support parameterized constructors as we have to IL generate the class at runtime. I hope this will not change in near future and I suggest to use properties instead of parameterized ctors.
  
  
  Best wishes,
  Kazi Manzur Rashid
  the Telerik team

  
  Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

• Patrick Barranis

  Posted on Mar 12, 2010 (permalink)

  Hi Kazi,

  
  

  Wow, that sounds convoluted.  How do I use properties with an attribute?  I'm looking at the AuthorizeAttribute in the MSDN documentation, and I honestly hadn't even realized that it wasn't a parameterized constructor.  I always used it as [Authorize("MyRole"] (or <Authorize("MyRole")> in VB...).  I'm a little mystified about how this even works...  I'd really appreciate some sort of example.

  
  

  Also, are you going to document the need for an empty constructor somewhere?  This wasn't exactly easy to get to the bottom of...

  
  

  Thanks,

  Patrick

• Patrick Barranis

  Posted on Mar 12, 2010 (permalink)

  Hi Kazi.  I got it.  It appears you can access properties through constructors (in VB, anyways) through the exact same ":=" syntax as optional parameters.  I still don't quite grok how the AuthorizeAttribute can accept an unnamed parameter, like in my example in my last post, but I shall let that go.

  
  

  That appears to have solved it.  It's working 100% correctly; thanks!

  
  

  Patrick

• Ishtiyaq

  Posted on Oct 6, 2011 (permalink)

  Kazi,
  
  Can you send me the an Example how can hide the menu items dynamically on user permissions. I really dont how how can I play with permissions on hiding the pages and menus. Please, guide ASAP.
  
  Regards,
  Ishtiyaq Mohammed.

• Faisal Alam

  Posted on Nov 15, 2011 (permalink)

  Kazi,
  
  Can you send me the same sample code please. Thanks

• Georgi Krustev Georgi Krustev

  Posted on Nov 16, 2011 (permalink)

  Hello Faisal,

   
  I have attached a simple test project, which shows how the required task is accomplished.
  
  

  Regards,
  Georgi Krustev
  the Telerik team

  If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the Telerik Extensions for ASP.MET MVC, subscribe to their blog feed now

  Attached files

  • MVCAuthorized.zip

Back to Top

Home / Community & Support / Developer Productivity Tools Forums / Telerik MVC Extensions (superseded) > Menu > custom AuthorizeAttribute causing menu items to be hidden