Yesterday I ran into a couple of problems when I went to upgrade to the release candidate for MVC. The first had to do with a custom autorization filter I had created for this site. The second problem had to do with request validation suddenly being enabled.
The AuthorizationFilter
Some quick background for those not familiar with this method. I wanted to do my own flavor of request authentication. So I created a class that derived from FilterAttribute, and from IAuthorizationFilter.
Deriving from FilterAttribute allowed my class to function as an action filter (i.e. it can be associated with a controller action and executes when that action executes). In this case it allowed me to easily added this filter as an attribute in the code as well as allowing the custom authorization filter to execute just before my method was executed so that I could ensure the current user was allowed to execute the method.
Implementing the IAuthoriztionFilter interface meant that this filter would run before any other filters associated with my controller action. It takes an AuthorizationContext as a parameter which can then be used to ensure the current user can execute, and if for some reason the authorization of the user fails then you simply set the AuthorizationContext.Cancel attribute = false and the action does not get executed.
Sounds simple enough. Well in the release candidate the Cancel attribute was removed from the AuthorizationContext. Now you set the Result attribute equal to a non null ActionResult to stop the target action from executing. My understanding is that by setting the result, there is no need for the code to proceed any further so just return to the caller. In my case, for now, I just simply return control to my home page (using RedirectResult), but a much better option would be a redirection to a login error page.
Request Validation
The second problem that I had was that all of a sudden I was getting error messages saying that input on my form failed validation. Essentially I was runnining into something that ASP.Net had from way back in 1.1 (or was it 1.0?) where any form submissions that had html or script characters would cause an validation exception to fire.
In my case I wanted HTML in some of my form submissions. I'm writing blog text and I'm allowing HTML in my blog entries so this had to go. I go into my web.config and set validateRequest=false in my pages element. Figured I was all set. Nope! Hmm whats going on here. Well after a little research I found this. Based upon that I needed to set [ValidateRequest="false] as an attribute on my controller classes or methods as appropriate.
Why the change? Well, it makes a lot of sense if you think about it, the submission processing occurs in the controller now. Not in the pages. So the attribute needs to be associated with the controller in this new world order.
Other than that its been pretty smooth sailing with the RC. Hopefully its going smoothly for everyone else as well.