In an ASP.NET MVC application, I'd like for certain controllers to only be accessible to authorized users. AuthorizeAttribute works great for this. However, I'd also like those controllers to provide access to certain IP numbers even if the remote user is unauthorized. Should I override AuthorizeAttribute to provide this functionality, or is there a better solution?
4
votes
2 Answers
3
votes
Keep in mind that if you add both the AuthorizeAttribute with users and your own ClientIPAuthorizeAttribute with the client IP's, unauthorised users within the specified IP's still won't be allowed...
This is because individual AuthorizeAttributes can't communicate with one another to do a logical OR. Subclassing is the easiest and cleanest way to achieve what you want.
