View Single Post
  #12 (permalink)  
Old August 11th, 2009, 11:33 AM
nberardi's Avatar
nberardi nberardi is offline
Wrox Author
Join Date: Aug 2008
Location: Phoenixville, PA, USA
Posts: 102
Thanks: 1
Thanked 16 Times in 16 Posts
Send a message via AIM to nberardi
Thumbs up

Originally Posted by ralphbethke View Post
You the Men!
It's great to know that all that good Beer was not wasted on you.

A preview release for MVC2.0 is now available so the dll issue might be a moot point. I'll check it out.
Some of the issues have been resolved, however some haven't. Plus a good lively debate never hurt anybody.

The MVC team really did a disservice by making the AcceptVerb attribute look like a security mechanism. Because it was never intended to be that, and it has fooled many developers. A proper security system rejects the attempt right away, which is what HttpPostOnly was designed to do. It is like saying "immediately reject if the POST verb doesn't match". However AcceptVerb is sort of like a gateway, which says "skip me if you don't have a POST verb". The "skip me" part is where you can have many problems if you have a lot of route rules, or if your application will some day have a lot of route rules, because after this action as been skipped, it will go on and find all the other actions that may match. If it finds one that it wasn't intended to match to, you have a hole in your application that is very hard to find.

That is why I am so passionate about this particular attribute, because it has the ability to give people a false sense of security. Because I fought this tooth and nail over in CodePlex, for them to add more security to this particular action method filter, because me and some others saw the chance for abuse.

I am really glad you like the book, and look forward to seeing your review on Amazon.
Check out my blog at: