Missing [Authorize] Attribute on admin post action.

aspnet / live.asp.net

Code for live.asp.net, which hosts the ASP.NET Community Stand-up

https://live.asp.net/

MIT License

289 stars 114 forks source link

Missing [Authorize] Attribute on admin post action. #61

Closed Bartmax closed 9 years ago

Bartmax commented 9 years ago

https://github.com/aspnet/live.asp.net/blob/a3ad4d4498cb2e836b0a8558ce1bd8f2eed61c29/src/live.asp.net/Controllers/AdminController.cs#L88-L89

clearcache (post) doesn't have [Authorize("Admin")] attribute. I think it would be an improvement to have the [Authorize] filter at the controller level instead of per action.

matsprea commented 9 years ago

With a simple POST everyone can clear the youtube cache, causing a waste of resources.

@DamianEdwards what do you think?

DamianEdwards commented 9 years ago

Agreed. That's an oversight, we should just put it on the controller.