I have the following controller with actions attributed with route templates. Note that I have a 'max' value constraint of 25 on 'id' parameter.
__1.__
* Request: http://localhost:23377/api/values/26
* Resposne: As expected the route's max value constraint evaluates to false.
__2.__
* Request: http://localhost:23377/api/values?id=26
* Expected: response should be 'GetAll'
* Actual: response is Get26. This is bad as now the user has managed to bypass my constraint.
__Workaround__:
Rename either of the Get methods to have unique action names. But this may not be good as users tend to have same action names when overloading. Can we prevent action selector to ignore actions which were filtered out during the route template matching process?
```
public class ValuesController : ApiController
{
// GET api/values/5
[HttpGet("api/values/{id:max(25)}")]
public string Get(int id)
{
return "Get" + id;
}
// GET api/values
[HttpGet("api/values")]
public string Get()
{
return "GetAll";
}
}
```
__Information in route table__:
***********************************
RouteTemplate: api/values/{id}
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Key:id, Value:System.Web.Http.Routing.Constraints.MaxHttpRouteConstraint
***********************************
RouteTemplate: api/values
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Comments: This is not supported by attribute routing. We don't not evaluate constraint against query string. And you will need to write custom constraint to solve that.
__1.__
* Request: http://localhost:23377/api/values/26
* Resposne: As expected the route's max value constraint evaluates to false.
__2.__
* Request: http://localhost:23377/api/values?id=26
* Expected: response should be 'GetAll'
* Actual: response is Get26. This is bad as now the user has managed to bypass my constraint.
__Workaround__:
Rename either of the Get methods to have unique action names. But this may not be good as users tend to have same action names when overloading. Can we prevent action selector to ignore actions which were filtered out during the route template matching process?
```
public class ValuesController : ApiController
{
// GET api/values/5
[HttpGet("api/values/{id:max(25)}")]
public string Get(int id)
{
return "Get" + id;
}
// GET api/values
[HttpGet("api/values")]
public string Get()
{
return "GetAll";
}
}
```
__Information in route table__:
***********************************
RouteTemplate: api/values/{id}
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Key:id, Value:System.Web.Http.Routing.Constraints.MaxHttpRouteConstraint
***********************************
RouteTemplate: api/values
-----------------------------------
Defaults:
--------
Key:controller, Value:Values
Key:action, Value:Get
Constraints:
-----------
Key:httpMethod, Value:System.Web.Http.Routing.HttpMethodConstraint
Comments: This is not supported by attribute routing. We don't not evaluate constraint against query string. And you will need to write custom constraint to solve that.