I'm currently working on a .NET MVC app with one area, Inside, and then a single controller on the root area, Home. What I'm noticing is something somewhat similar to what is discussed in this post; I have a Home controller in both my root and Inside areas, and when the menu attempts to render the links to the root actions while at an Inside url, such as /Inside/Account/Login, the links to any Home actions which are present in both the Inside and root areas are not rendered. I noticed that if I take away the [Authorize] attribute on my Inside Home controller, the actions do render properly i.e. /Home/Index is rendered. However, I want to make sure that my inside controllers are decorated with the Authorize attribute.
For example, with the following code snippet
// Root Home Controller
public class HomeController : Controller {
// Doesn't render
public ActionResult Index() { return View(); }
// Doesn't render
public ActionResult Contact() { return View(); }
// Renders
public ActionResult About() { return View(); }
}
// Inside Home controller
[Authorize]
public class Home : Controller {
public ActionResult Index() { return View(); }
public ActionResult About() { return View(); }
}
// /Inside/Account/Login View snippet
@(Html.Kendo().Menu().Name("MainMenu").Items(children =>
{
items.Add().Text("Root Home").Action("Index", "Home", new { area = "" });
items.Add().Text("Root Contact").Action("Contact", "Home", new { area = "" });
items.Add().Text("Root About").Action("About", "Home", new { area = "" });
items.Add().Text("Login").Action("Account", "Login", new { area = "Inside" });
}))
if I go to /Home/Index or /Home/Contact I get a menu the menu you would expect (as seen in Correct.png), whereas if I go to /Inside/Account/Login, I get a menu with only the About and Login buttons (as seen in Incorrect.png). My guess is that the Telerik Menu rendering function is attempting to security trim [Authorize] decorated action links with identical names disregarding the area in which the action was specified.
I'm wondering if there is a better way around this bug than to decorate my Inside.Home.Index/Contact actions with [AllowAnonymous] and using a redirect to the root area if a user is not authenticated.