I have the following controller with actions attributed with route templates. Note that I have a 'max' value constraint of 25 on 'id' parameter.
__1.__
* Request: http://localhost:23377/api/values/26
* Resposne: As expected the route's max value constraint evaluates to false.
__2.__
* Request: http://localhost:23377/api/values?id=26
* Expected: response should be 'GetAll'
* Actual: response is Get26. This is bad as now the user has managed to bypass my constraint.
__Workaround__:
Rename either of the Get methods to have unique action names. But this may not be good as users tend to have same action names when overloading. Can we prevent action selector to ignore actions which were filtered out during the route template matching process?
```
public class ValuesController : ApiController
{
// GET api/values/5
[HttpGet("api/values/{id:max(25)}")]
public string Get(int id)
{
return "Get" + id;
}
// GET api/values
[HttpGet("api/values")]
public string Get()
{
return "GetAll";
}
}
```
__Information in route table__:
***********************************
RouteTemplate: api/values/{id}
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Key:id, Value:System.Web.Http.Routing.Constraints.MaxHttpRouteConstraint
***********************************
RouteTemplate: api/values
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Comments: I discussed this scenario with Yao today. It would just be easier to explain to users to always use unique names for their actions.
__1.__
* Request: http://localhost:23377/api/values/26
* Resposne: As expected the route's max value constraint evaluates to false.
__2.__
* Request: http://localhost:23377/api/values?id=26
* Expected: response should be 'GetAll'
* Actual: response is Get26. This is bad as now the user has managed to bypass my constraint.
__Workaround__:
Rename either of the Get methods to have unique action names. But this may not be good as users tend to have same action names when overloading. Can we prevent action selector to ignore actions which were filtered out during the route template matching process?
```
public class ValuesController : ApiController
{
// GET api/values/5
[HttpGet("api/values/{id:max(25)}")]
public string Get(int id)
{
return "Get" + id;
}
// GET api/values
[HttpGet("api/values")]
public string Get()
{
return "GetAll";
}
}
```
__Information in route table__:
***********************************
RouteTemplate: api/values/{id}
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Key:id, Value:System.Web.Http.Routing.Constraints.MaxHttpRouteConstraint
***********************************
RouteTemplate: api/values
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Comments: I discussed this scenario with Yao today. It would just be easier to explain to users to always use unique names for their actions.