Use GET to determine node accessibility #14
Comments
Adds 'routeMethod' attribute to sitemap provider initialization attributes. The value set in the attribute is used when determining current route. If the value is empty or not specified the method of the current request is used.
Fix for issue #14 (Use GET to determine node accessibility).
|
Is it possible you could provide a small sample project showing how you use this functionality? We have v4 in beta now, but I just realized that this functionality is not yet implemented there. It would be a big help if we have a way to ensure we can get it to work the way it was intended to. Alternatively, if you could submit another pull request based on the v4 branch that would be great. |
|
I created a demo project for the issue. The text in the views and comments in HomeController should explain the issue. I hope I will fix the issue in the v4 branch tomorrow evening or on the weekend. |
|
Hey, thanks for doing this. If you don't have the time to implement it will be a big help. |
…determine node accessibility) behavior. Issue description AuthorizeAttributeAclModule uses current HTTP context to determine whether the node is visible. If action overloads accepting different HTTP verbs have different authorization parameters then AuthorizeAttributeAclModule will use authorization parameters of an action accepting HTTP verb of current request. This behavior is invalid because clicking site map node links usually results in a GET request.
Note I 'reused' ISiteMapNode.HttpMethod property because it seems to replicate DefaultSiteMapProvider.RouteMethod property (that was used to in the fix in the old project) and it is neither documented nor used after setting it in an ISiteMapBuilder.
Note I 'reused' ISiteMapNode.HttpMethod property because it seems to replicate DefaultSiteMapProvider.RouteMethod property (that was used to in the fix in the old project) and it is neither documented nor used after setting it in an ISiteMapBuilder.
|
In your demo project, you provided XML as follows: <?xml version="1.0" encoding="utf-8" ?>
<mvcSiteMap xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://mvcsitemap.codeplex.com/schemas/MvcSiteMap-File-4.0">
<mvcSiteMapNode title="Demo site" controller="Home" action="Index" visibility="!*" httpMethod="GET">
<mvcSiteMapNode title="Home" controller="Home" action="Index"/>
<mvcSiteMapNode title="About" controller="Home" action="About"/>
</mvcSiteMapNode>
</mvcSiteMap>However, it does not function correctly this way because httpMethod is not inherited. It only functions correctly if the httpMethod is added specifically on the nodes that require it. <?xml version="1.0" encoding="utf-8" ?>
<mvcSiteMap xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://mvcsitemap.codeplex.com/schemas/MvcSiteMap-File-4.0">
<mvcSiteMapNode title="Demo site" controller="Home" action="Index" visibility="!*">
<mvcSiteMapNode title="Home" controller="Home" action="Index"/>
<mvcSiteMapNode title="About" controller="Home" action="About" httpMethod="GET"/>
</mvcSiteMapNode>
</mvcSiteMap>I am trying to determine if this is the expected behavior, as someone has opened another issue about this #230. I went back to v4.0.14 (before the changes to AuthorizeAttributeAclModule), but it functions exactly the same way. It seems like it should use GET by default if httpMethod is not supplied (to make MvcSiteMapProvider do a POST, the HTML helpers would need to be modified to spit out form tags or JavaScript), but the logic you provided uses the current HTTP method by default. So, it seems that the logical way to do this would be:
That would cover all of the possible scenarios, but using httpMethod parameter would only be required if you modify the HTML helpers. Thoughts? |
|
Using GET by default would be great for me. I used current HTTP method by default only as a backwards-compatibility precaution. As for httpMethod I did expect it to be inherited by the child nodes but it is not important if GET would be used by default. |
|
Well, backwards compatibility wasn't that much of a concern in a major release - unfortunately, now we have to make a potentially breaking change in a minor release. But the fact of the matter is the default behavior is broken given the default behavior of how the nodes are rendered, and the reality is the change probably won't affect that many users. |
I have two actions with the same name: one for GET requests and another one for POST. These action have require different user roles (the user must have write access for POST).
AuthorizeAttributeAclModule uses current HTTP method to determine the action so users without write access don't have the site map node after they POST on some other page. This is not right because following links in a site map generates GET requests.
I think HTTP method should be configurable or GET.
The text was updated successfully, but these errors were encountered: