未经授权AJAX请求成功 [英] Unauthorized AJAX request succeeds

问题描述

我有以下控制器的方法：

I have following controller method:

[HttpPost]
[Authorize(Roles="some_role_actual_user_is_NOT_in")
public ActionResult AJAXMethod()
{
    return Json(new { message = "server message");
}

和脚本页面：

function sendReq()
{
    $.ajax({
        type: "POST",
        data: { somedata: "somedata" },
        url: "/Path/To/AJAXMethod",
        success: onAJAXSuccess,
        error: onAJAXError
    });
}


function onAJAXSuccess(response, status, xhr)
{
    alert("success: " + response.message);
    alert(status);
}

function onAJAXError(xhr,status,error)
{
    alert("error: " + status);
    alert(error);
}

当我称之为 sendReq 与用户没有授权的角色AJAX调用仍然suceed - 回调 onAJAXSuccess 被称为，但 response.message 是不确定的。

When I call sendReq with user not in the authorized role the AJAX call still suceed - callback onAJAXSuccess is called, but response.message is undefined.

推荐答案

这是正确的行为。 AJAX调用的成功仅由服务器使用200 OK回应的事实来确定。您将需要询问返回的响应自己，以确保它是否是你希望的格式。

This is correct behaviour. The success of an AJAX call is only determined by the fact the the server responded with a 200 OK. You will need to interrogate the returned response yourself to ensure it is in the format you expect.

例如：

if (typeof response.message != "undefined" && response.message != "") {
   // it worked
}
else {
    // didn't work || user did not have access.
}

这篇关于未经授权AJAX请求成功的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！