Home/ Questions/Q 9245771
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T09:20:22+00:00

I have this: [AllowAnonymous] public FilePathResult GetImage(string user) { var path = AppDomain.CurrentDomain.BaseDirectory +

  • 0

I have this:

[AllowAnonymous]
public FilePathResult GetImage(string user)
{
    var path = AppDomain.CurrentDomain.BaseDirectory + "files\\uploads\\users\\" + user + "\\avatar\\";
    var ext = this.GetImageExtension(path, user);
    return ext != null ? File(path + user + "." + ext, "image/" + ext, user + "." + ext) : File(AppDomain.CurrentDomain.BaseDirectory + "files\\commonFiles\\users\\avatar\\noavatar.png", "image/png", "noavatar.png");
}

And inside my views I have this: 

<img src="/MyAccount/GetImage/?user=@User.Identity.Name" 
     alt="@User.Identity.Name" />

Now, whenever I use this inside my web developer server it works perfectly ok. But when I publish my site on my server, it is not even trying to hit that action. Why?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Why?

    Because you have hardcoded the url to your controller action instead of using an url helper:

    <img src="@Url.Action("GetImage", "MyAccount", new { user = User.Identity.Name })" alt="@User.Identity.Name" />

    You should never hardcode urls in an ASP.NET MVC application but always use url helpers.

    Also passing the currently logged in user as query string parameter looks like a horrible security issue. There’s nothing preventing the user from passing whatever username he likes and consulting the images of that user. You should read the currently authenticated user in your controller action.

    So start by getting rid of this query string parameter:

    <img src="@Url.Action("GetImage", "MyAccount")" alt="@User.Identity.Name" />

    and then in your controller action you could always retrieve the currently logged in user with the User.Identity.Name property:

    [Authorize]
public FilePathResult GetImage()
{
    string user = User.Identity.Name;
    var path = Server.MapPath(
        string.Format("~/files/uploads/users/{0}/avatar/", user)
    );
    var ext = this.GetImageExtension(path, user);
    if (string.IsNullOrEmpty(ext))
    {
        return File(
            Server.MapPath("~/files/commonFiles/users/avatar/noavatar.png"), 
            "image/png", 
            "noavatar.png"
        );
    }
    var file = Path.ChangeExtension(Path.Combine(path, user), ext);
    return File(file, "image/" + ext, user + "." + ext);
}

    I’ve also decorated this controller action with the [Authorize] attribute to make it accessible only to authenticated users. If this is not your case you could still keep the [AllowAnonymous] attribute but check for User.Identity.IsAuthenticated before attempting to access his username.

    • 0