Archive

Archive for the ‘ASP.NET MVC’ Category

Dumbbell.se är släppt

October 12th, 2008 No comments

Igår la jag upp www.dumbbell.se för allmänheten. Dumbbell.se är en träningscommunity där man kan mata in sina träningspass, se statistik hur man utvecklas och diskutera med andra träningsintresserade människor. Siten kommer byggas ut gradvis närmsta tiden.

Rent tekniskt så har jag använt mig av ASP.NET MVC, NHibernate och jQuery i en härlig symbios :)

Jag kommer troligtvis skriva fler inlägg om dumbbell.se här i framtiden, men detta får vara tillräckligt för stunden.

Categories: ASP.NET MVC Tags:

Validating HTTP method in ASP.NET MVC

July 10th, 2008 No comments

On the web it’s considered a good practice that the GET method never changes the state on the server. When state should be changed the POST method should be used. It is good to follow this practice, otherwise there might be problems when search engines tries to visit links (which are GET by default).
By default in ASP.NET MVC any public method on the controller can be accessed both by GET and POST. So I _could_ access my DeleteUser() method by an ordinary link (which is GET).

So, how do I restrict a method in ASP.NET MVC to be only GET or only POST? I could use ActionFilterAttribute and tag each method with it. But tagging every method is a bit noisy in my opinion. The thing I want is GET to be the default way to access methods, and then I want to mark POST methods only with attributes.

In my MVC projects I always have a BaseController, that all my controllers inherit from. With that in place it is actually quite easy to accomplish the above. I just need to override OnActionExecuting like this:

public class BaseController : Controller
{
    protected override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var attributes = filterContext.ActionMethod.GetCustomAttributes(
            typeof(POSTAttribute), false);
        var method = filterContext.HttpContext.Request.HttpMethod;
        if (attributes.Length > 0 && method != "POST")
        {
            ThrowIllegalMethodException("POST", filterContext);
        }
        else if (attributes.Length == 0 && method != "GET")
        {
            ThrowIllegalMethodException("GET", filterContext);
        }
    }

    private static void ThrowIllegalMethodException(string expectedHttpMethod,
        ActionExecutingContext filterContext)
    {
        var controllerName = filterContext.Controller.GetType().Name;
        var controllerMethod = filterContext.ActionMethod.Name;
        var httpMethod = filterContext.HttpContext.Request.HttpMethod;

        var message = string.Format("Only {0} method allowed for {1}.{2}, but {3} was used.",
            expectedHttpMethod, controllerName, controllerMethod, httpMethod);
        throw new SecurityException(message);
    }
}

And also I need a POSTAttribute which is simplest possible:

public class POSTAttribute : Attribute
{
}

So, now I can write [POST] above methods like this: 

public class MyController : BaseController
{
    [POST]
    public ActionResult SaveMyEntity()
    {
        // Code..
    }
}

Pretty cool that you can change the behaviour of the MVC framework this easy.

Categories: .NET, ASP.NET, ASP.NET MVC Tags: