Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Blazor Server: don't bind event listener for non-rendered element
See original GitHub issueI’m interested in keeping authorization simple by using the AuthorizeView component. This request is an elaboration of the documentation issue: dotnet/AspNetCore.Docs/issues/20462.
In short, say I have Blazor pages, each of which requires authentication and role-based authorization:
@page "/page1"
@attribute [Authorize]
<AuthorizeView Role="page1">
<!-- SECURE CONTENT -->
<button @onclick="SecureAction">Secure Action</button>
</AuthorizeView>
@code {
private void SecureAction()
{
// Unauthorized users should not be able to execute this code path
}
}
It would be nice if it was impossible for clients to manually trigger the SecureAction method. In this case, because the only element to which it binds is not rendered, no SignalR event listener should be bound.
I would prefer not to inject the AuthenticationStateProvider in every page and guard every protected task/method with it.
re: @guardrex
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@shanemikel by default event handlers for non-rendered elements are unable to be invoked. The scenario @javiercn was talking of was that if your authorization status changes after an element is rendered, there is a small window (in the order of milliseconds) before a new render that event handlers could be triggered. (
[Initially authorized] --> [Unauthorized / StateHasChanged] … You can continue to trigger the event now … --> [Render](Now it’s no longer possible to trigger)
If you were concerned about the small window, you could consider using the pattern @javiercn suggested. Most users would not need to worry about this.
@guardrex I don’t think this needs to be documented.
Closing this issue since the original question was answered.