I have a custom [AuthenticationFilter] which simply redirects users that are not authorized to access administrative content.
I apply the filter to
[AuthenticationFilter]
public ActionResult Index() {}
But, I also have
[HttpPost]
public ActionResult Index(HttpPostedFileBase file) {}
for handling file uploads. Do I need the attribute here?
My gut instinct tells me no. There’s no way to POST a file to the page because uploadButton is blocked from loading by the first method.
The only other security concern I can imagine is a cross site AJAX post, but this shouldn’t be possible or at least is highly unlikely because its an intranet site.
So, is there any reason to apply [AuthenticationFilter] to the file handler?
You can never count on your client-side control (disabling the upload button) from stopping something from hitting your server. End users have complete control over what happens on the client. They can enable controls, remove or modify hidden fields, intercept browser requests, or bypass the browser completely and make their own requests (with any file they want).
Any place that you have the option to add security on the server you should do it. There is no type of request you can stop by simply using browser controls.