I'm currently working on a .NET MVC app with one area, Inside, and then a single controller on the root area, Home. What I'm noticing is something somewhat similar to what is discussed in this post; I have a Home controller in both my root and Inside areas, and when the menu attempts to render the links to the root actions while at an Inside url, such as /Inside/Account/Login, the links to any Home actions which are present in both the Inside and root areas are not rendered. I noticed that if I take away the [Authorize] attribute on my Inside Home controller, the actions do render properly i.e. /Home/Index is rendered. However, I want to make sure that my inside controllers are decorated with the Authorize attribute.
For example, with the following code snippet
// Root Home Controllerpublic class HomeController : Controller { // Doesn't render public ActionResult Index() { return View(); } // Doesn't render public ActionResult Contact() { return View(); } // Renders public ActionResult About() { return View(); }}// Inside Home controller[Authorize]public class Home : Controller { public ActionResult Index() { return View(); } public ActionResult About() { return View(); }}// /Inside/Account/Login View snippet@(Html.Kendo().Menu().Name("MainMenu").Items(children =>{ items.Add().Text("Root Home").Action("Index", "Home", new { area = "" }); items.Add().Text("Root Contact").Action("Contact", "Home", new { area = "" }); items.Add().Text("Root About").Action("About", "Home", new { area = "" }); items.Add().Text("Login").Action("Account", "Login", new { area = "Inside" });}))if I go to /Home/Index or /Home/Contact I get a menu the menu you would expect (as seen in Correct.png), whereas if I go to /Inside/Account/Login, I get a menu with only the About and Login buttons (as seen in Incorrect.png). My guess is that the Telerik Menu rendering function is attempting to security trim [Authorize] decorated action links with identical names disregarding the area in which the action was specified.
I'm wondering if there is a better way around this bug than to decorate my Inside.Home.Index/Contact actions with [AllowAnonymous] and using a redirect to the root area if a user is not authenticated.
3 Answers, 1 is accepted
We'll try to replicate this issue in a local project in order to troubleshoot it.
For the moment I can only suggest disabling the security trimming, if it doesn't affect the rest of your application:
@(Html.Kendo().Menu().Name("MainMenu").Items(children =>
{
items.Add().Text("Root Home").Action("Index", "Home", new { area = "" });
items.Add().Text("Root Contact").Action("Contact", "Home", new { area = "" });
items.Add().Text("Root About").Action("About", "Home", new { area = "" });
items.Add().Text("Login").Action("Account", "Login", new { area = "Inside" });
})
.SecurityTrimming(false)
)
Apologies for the caused inconvenience.
Regards,
T. Tsonev
Telerik
Rank 1
Thanks for the reply.
I was able to find a way around the problem by adding the [AllowAnonymous] attribute to my Inside Home controller actions that are on the outside, and then added a function to force a redirect to the corresponding outside Home action if a user is not logged in.
In regards to creating a project to expose the error, all you should need is:
- 1 Area with a 1 controller decorated with an Authorize attribute, and one of the actions with an AllowAnonymous
- 1 controller in the root area with the same name as the authorized area controller
- Rendering the menu with actions that are on the area and root controllers
Thanks for looking into it, hopefully this will be fixed in a future release :)
I tried reproducing the issue in the attached project, but without much luck.
Can you please have a look to see if I'm missing something?
Regards,
T. Tsonev
Telerik