michelgrootjans
commented
9 years ago Good catch. I'll look into it
Open jebright opened 9 years ago
michelgrootjans
commented
9 years ago Good catch. I'll look into it
Isn't there a potential flaw in AuthorizeWithCanIFilter? When overriding OnAuthorization in a AuthorizeAttribute, you have to deal with caching. See the comments in the source code for AuthorizeAttribute for more information, but typically the safest approach is to override AuthorizeCore.
Here are the comments I'm specifically referring to:
// If a child action cache block is active, we need to fail immediately, even if authorization // would have succeeded. The reason is that there's no way to hook a callback to rerun // authorization before the fragment is served from the cache, so we can't guarantee that this // filter will be re-run on subsequent requests.