ASP.NET MVC: Using NonActionAttribute to restrict access to public methods of controller

Public non-action methods in ASP.NET MVC controllers are source of problems because they can be called by user when not handled carefully. Same time you may need public methods on controllers for some other reasons (some UI framework, testability problems, things you cannot change etc). In this posting I will show you how to handle controller methods properly.

Calling controller methods

Public methods of controller are called controller actions and these actions are mapped to URL-s using routes. Take a look at the following code.


public ActionResult Index()
{
    ViewBag.Message =
"Welcome to ASP.NET MVC!"
;
   
return View();
}

You can see here two controller methods. One of them is Index() and it is expected to be called by browser. The other one – DoInternalStuff() – is intended only for internal use.


public void DoInternalStuff()
{
    Response.Write(
"We are doing internal stuff here!");
    Response.End();
}

Although these examples are primitive ones they let us illustrate the situation very well.

Calling non-action method

As you can guess then first method returns out-of-box default page that comes with ASP.NET MVC web application project. But what happens when we try to call this other method? The result is here.

Non-action was called on controller

We can call this method directly through browser and if it contains arguments we may be able to inject them too under certain circumstances. This is something we don’t want to happen.

Restricting access to non-action methods

To restrict access to non-action method you must use NonActionAttribute to notify MVC framework that given controller method is not action. The code is here:


[NonAction]
public void
DoInternalStuff()
{
    Response.Write(
"We are doing internal stuff here!");
    Response.End();
}

Now when we try to run DoInternalStuff() over URL we get the error 404 as response to request.

Conclusion

There are situations where non-action controller methods are used and there may even exist situations where visibility of these methods cannot be changed. To avoid users to invoke those methods directly – this can be considered as security hole – we have to say MVC framework using NonActionAttribute that these methods are not controller actions.


Leave a Reply

Your email address will not be published. Required fields are marked *