1

Closed

[Routing] ApiController: Selection of Actions by verb should exclude actions with ActionName attribute

description

Actions with ActionName attribute should not be invoked by verb inference if RouteData does not include {action}.

If a request arrives at an ApiController without an {action} parameter being set in the RouteData, ApiControllerActionSelector uses verb inference (with FindActionsForVerb()) only. While this mostly makes sense, it means that actions decorated with a [ActionName] can still be invoked by a request coming in

Thus, with routes like:
routes.MapHttpRoute(
    name: "DefaultApi",
    routeTemplate: "api/{controller}/{id}",
    defaults: new { id = RouteParameter.Optional }
);
And an action like this in addition to your usual Post() action:
[ActionName("Activate")]
public String Activate(User doofus) {
     // (I assume that complex POCO types as a parameter automatically infers [HttpPost]).
     return "Posted!";
}
Invoking "POST http://localhost:3000/api/users" may thusly end up invoking my Activate() action up there rather than my conventional Post() action, which is clearly not intended.

I propose that ApiControllerActionSelector.FindActionsForVerbWorker() excludes any actions that have an [ActionName] attribute on them. What do you guys think?
Closed Apr 25, 2013 at 1:12 AM by youssefm

comments

orospakr wrote Aug 29, 2012 at 11:39 PM

Btw, this is in the "v2-rtm" branch of git. I have not checked if this issue exists in master/elsewhere.

HongmeiG wrote Apr 6, 2013 at 6:12 AM

We will address this.

youssefm wrote Apr 24, 2013 at 6:30 PM

Changing this behavior would be a breaking change.

youssefm wrote Apr 25, 2013 at 1:11 AM

This would be a breaking change because valid URIs that work today would just stop working in a future version. So if someone was relying on POST http://localhost:3000/api/users calling Activate above, action selection would just fail if we changed the behavior.