This is a migrated thread and some comments may be shown as answers.
custom AuthorizeAttribute causing menu items to be hidden
13 Answers 144 Views
This is a migrated thread and some comments may be shown as answers.
This question is locked. New answers and comments are not allowed.
Patrick Barranis
Top achievements
Rank 1
Patrick Barranis asked on 05 Mar 2010, 03:40 PM
Hi.  I've implemented a custom authorization attribute that inherits AuthorizeAttribute.  When I use the AuthorizeAttribute on an Action in my controller, if I reference the same action in my Telerik Menu it appears fine on the website.

However, if I use my custom attribute (source code below), on either the Controller definition (at the top) or on the Action method itself then the item disappears from my menu.

I never would have expected the Telerik Menus to automatically try to check AuthorizeAttributes and hide items dynamically - I love it!  This is a great feature, but unfortunately it's not working for me.  Here's the source from my custom attribute:

Public Class MutiSiteAuthorizeAttribute 
    Inherits AuthorizeAttribute 
 
    Private _rightNeeded As Rights = Rights.LoginToWebsite 
 
    Public Sub New(ByVal right As Rights) 
        _rightNeeded = right 
    End Sub 
 
    Protected Overrides Function AuthorizeCore(ByVal httpContext As System.Web.HttpContextBase) As Boolean 
 
        If Not httpContext.User.Identity.IsAuthenticated Then 
            Return False 
        End If 
 
        Return BLL.Roles.UserCan(_rightNeeded, httpContext.User) 
    End Function 
End Class 

I'm running Telerik MVC 2010.1.218.235, Microsoft MVC 2 RC2 on VS 2008SP1 (On Win7 Enterprise & with the ASP.NET Development Server).  I'm also running on old Coke, not new Coke :)

Many thanks in advance!

13 Answers, 1 is accepted

Sort by
0
Kazi Manzur Rashid
Telerik team
answered on 09 Mar 2010, 11:16 AM
Hello Patrick Barranis,

Would you please elaborate a bit more. I mean what is your expected behavior it should show or hide the menu item?

Best wishes,
Kazi Manzur Rashid
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Patrick Barranis
Top achievements
Rank 1
answered on 09 Mar 2010, 01:52 PM
Hi Kazi.  I'm sorry - I was a bit unclear.  Based on the fact that the item disappeared I was assuming that the intended design, by Telerik, was that the item would show or hide based on the role of the user that's logged in.  However, that's just an educated guess.

If the control is not designed to automatically hide items that the user doesn't have permission to access, then I would simply expect that the item in the menu is always visible.  I would not have expected that the item suddenly disappear when I added the attribute.

In either case the item shouldn't have disappeared.  The user logged-in has the necessary rights to perform that action, and if I type the URL manually into the browser, the action runs successfully without a security exception.

Thanks,
Patrick
0
Kazi Manzur Rashid
Telerik team
answered on 10 Mar 2010, 04:07 AM
Hi Patrick Barranis,

Yes you are correct, it is designed in a way that the item will hide if the user does not have the permission.

When rendering the navigational components like menu/tree/panelbar/tab we check whether the associated action does have the permission. The Action or Controller are decorated with Authorize attribute so typing directly to that Url willl result same security exception.

All the best,
Kazi Manzur Rashid
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Patrick Barranis
Top achievements
Rank 1
answered on 10 Mar 2010, 01:01 PM
Hi Kazi,

I think it's great that this feature exists; I really like the idea.

However, clearly it's not functioning properly for me.  If I access the URL directly a security exception does not get thrown, yet the item/action still disappears from the menu.  Can you help me out?

Thanks,
Patrick

PS - Due to a unrelated support ticket I have ongoing, I just tested version 2010.1.309, which I'm told is basically RTW for Q1, and the problem wasn't fixed by running that version either.
0
Kazi Manzur Rashid
Telerik team
answered on 10 Mar 2010, 02:33 PM
Hello Patrick Barranis,

Ok can you please describe the exact case, I mean where did you put the MutiSiteAuthorizeAttribute that you described below, in action method or the whole controller, does any other authorization attribute also involved? You can just post the signature of the controller as well as the sitemap defination.

Kind regards,
Kazi Manzur Rashid
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Patrick Barranis
Top achievements
Rank 1
answered on 12 Mar 2010, 04:15 PM
Hi Kazi,

Have you tried putting this attribute into a demo or sample site on your end?  I finally did that here, and it failed immediately.  It turns out I was able to learn something that should help you find the problem pretty quickly: If I add an empty constructor to the attribute it works fine.  If there's no empty constructor, none of the constructors even get called by the Telerik code.

For now I'll leave an empty constructor in our code just for the Telerik Menu to use, but I hope this will get fixed for the next release.

Thanks,
Patrick
0
Patrick Barranis
Top achievements
Rank 1
answered on 12 Mar 2010, 05:17 PM
I was wrong... it doesn't work fine if I make a default, empty constructor.  Only the default constructor gets called, so whatever I return for that default case is what always gets returned.

Here's the sample attribute I made to test in an empty project:
Public Class MutiSiteAuthorizeAttribute 
    Inherits AuthorizeAttribute 
 
    Private val As String 
 
    Public Sub New() 
        val = "qwerty" 
    End Sub 
 
    Public Sub New(ByVal right As String
        val = right 
    End Sub 
 
    Protected Overrides Function AuthorizeCore(ByVal httpContext As System.Web.HttpContextBase) As Boolean 
        Return val = "asdf" 
    End Function 
End Class 

As you can see, it's designed to fail if the default constructor is called.  If, however, the "normal" constructor is called with "asdf" it will return True.

And here's how I decorated the Home -> About action in a completely empty, default MVC project:

    <MutiSiteAuthorize("asdf")> _ 
    Function About() As ActionResult 
        Return View() 
    End Function 

The Telerik Menu I placed on the page never shows the "About" menu item.  If I set breakpoints, the default constructor is the only one that gets called (ever).  Yes if I type in the url http://localhost/Home/About, the page renders fine.

I've tested my real website similarly and I get exactly the same results.  I have even checked that if I'm logged in under a user that shouldn't get to some pages I can type in the URL manually and I get kicked to the login page, but if I'm logged in under a user that can get to any page then typing in the URL works fine.

Let me know if you want my copy of this test project, however, all my changes are in the code blocks above.

Thanks,
Patrick
0
Kazi Manzur Rashid
Telerik team
answered on 12 Mar 2010, 07:16 PM
Hello Patrick Barranis,

Yes you are absolutly correct, we do not support parameterized constructors as we have to IL generate the class at runtime. I hope this will not change in near future and I suggest to use properties instead of parameterized ctors.


Best wishes,
Kazi Manzur Rashid
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Patrick Barranis
Top achievements
Rank 1
answered on 12 Mar 2010, 07:33 PM
Hi Kazi,

Wow, that sounds convoluted.  How do I use properties with an attribute?  I'm looking at the AuthorizeAttribute in the MSDN documentation, and I honestly hadn't even realized that it wasn't a parameterized constructor.  I always used it as [Authorize("MyRole"] (or <Authorize("MyRole")> in VB...).  I'm a little mystified about how this even works...  I'd really appreciate some sort of example.

Also, are you going to document the need for an empty constructor somewhere?  This wasn't exactly easy to get to the bottom of...

Thanks,
Patrick
0
Patrick Barranis
Top achievements
Rank 1
answered on 12 Mar 2010, 08:03 PM
Hi Kazi.  I got it.  It appears you can access properties through constructors (in VB, anyways) through the exact same ":=" syntax as optional parameters.  I still don't quite grok how the AuthorizeAttribute can accept an unnamed parameter, like in my example in my last post, but I shall let that go.

That appears to have solved it.  It's working 100% correctly; thanks!

Patrick
0
Ishtiyaq
Top achievements
Rank 1
answered on 06 Oct 2011, 05:03 PM
Kazi,

Can you send me the an Example how can hide the menu items dynamically on user permissions. I really dont how how can I play with permissions on hiding the pages and menus. Please, guide ASAP.

Regards,
Ishtiyaq Mohammed.
0
Faisal Alam
Top achievements
Rank 2
answered on 16 Nov 2011, 05:06 AM
Kazi,

Can you send me the same sample code please. Thanks
0
Georgi Krustev
Telerik team
answered on 16 Nov 2011, 04:27 PM
Hello Faisal,

 
I have attached a simple test project, which shows how the required task is accomplished.

Regards,
Georgi Krustev
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the Telerik Extensions for ASP.MET MVC, subscribe to their blog feed now
Tags
Menu
Asked by
Patrick Barranis
Top achievements
Rank 1
Answers by
Kazi Manzur Rashid
Telerik team
Patrick Barranis
Top achievements
Rank 1
Ishtiyaq
Top achievements
Rank 1
Faisal Alam
Top achievements
Rank 2
Georgi Krustev
Telerik team
Share this question
or