Home/ Questions/Q 6936141
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T12:11:43+00:00

I have added the Authentication attribute on controller classes which are for admin purposes

  • 0

I have added the Authentication attribute on controller classes which are for admin purposes like adding, removing categories and product. All such controllers(ManageCategory, ManageProduct) are decorated with following :-

[Authorize(Roles = "Administrator")]

These controllers have Upload and Remove action methods which are invoked by jquery from the rendered view. Since client script don’t use the URL or postback, I am bit skeptical if someone can bypass the controller authorization. These action methods are very sensitive because it provides the ability to remove a file on server. Following is the code from Remove action method.

[HttpPost]
public ActionResult Remove(string fileName)
{
    string completFileName = Server.MapPath("~" + fileName);
    System.IO.File.Delete(completFileName);
    return Json(true);
}

Though this action method resides in a Controller with Authorization, Can someone still reach it without logging-in. Should i be worried and do something else or one will always need to be authorized as administrator before accessing this ?.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m not sure what you mean by..

    Since client script don’t use the URL or postback

    AJAX requests from client script send cookies just the same as regular page requests – have a look at the headers of an AJAX request using Firebug or Fiddler or some such tool.

    This includes the .ASPXAUTH cookie which standard ASP.NET authentication uses. The controller will perform exactly the same authentication checks on an AJAX request as it would on a normal page request.

    • 0