0

Hi,

For a view that will be submited I have two actions with the same name but one of them have this attribute : 

[AcceptVerbs(HttpVerbs.Post)]

In the nonPost action I usually makes some validations where the User will be redirect to another action if its not correct, for example validating that the current object in edit is able to be changed.

Is it true that I need to make the exact same validations in the post Action to be sure that tha page is not hacked with some sort of custom post?

If so, how du u usually handle this? I do know about AuthorizeAttribute but the validations I need to do is specific for this action.

Improve this question
1
  • What sort of validation are you referring to? You should be validating any input before accepting it. Commented Jun 24, 2012 at 14:08

1 Answer 1

Reset to default
2

Is it true that I need to make the exact same validations in the post Action to be sure that tha page is not hacked with some sort of custom post?

Every controller action that modifies some state on the server and which requires authorization must perform this authorization.

I do know about AuthorizeAttribute but the validations I need to do is specific for this action.

Then write a specific Authorize attribute for those 2 actions (as apparently you have the same authorization logic for the 2 actions).

But there's something weird about your description. You said that if authorization fails in the GET action you redirect. But when you redirect you obviously cannot invoke the POST action because redirect means GET.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Okay, so that is the prefered way? Not to build a private method in the Controller that validates for these two actions?
I still don't understand exactly what is your scenario and what you are trying to achieve. If it is authorization logic then it should go into a custom Authorize attribute, not inside the controller action or any private methods. If you are doing input validation such as for example StartDate must be lower than EndDate then you could use the validation attributes on your view model and leave the default model binder perform this validation. Also as I stated in my answer your question is not clear: you mentioned a redirect to a POST action which doesn't make any sense.
Say that we got a complex object, this object have a couple of diffrent states and is edited in diffrent views. When the state Paid is set it should not be possible to edit the object anymore. Right now I have a small check for this in each action and if this check fails then the user will be redirected to a status page that explains the problem (or in this case the status of the object). The problem is that my check is only in the nonPost actions and thay need to be on both.
Regular View validations is done as you say with validation attributes.
Alright, the scenario you describe is a perfect candidate for a custom Authorize attribute to avoid repeating the authorization logic in every controller action that needs it. Also remember that you should use the GET verb only to retrieve data from the server. The RESTful conventions dictate that you should use the POST or PUT verbs for controller actions that actually modify state on your server (database update or insert).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.