[Routing] ApiController: Selection of Actions by verb should exclude actions with ActionName attribute


Actions with ActionName attribute should not be invoked by verb inference if RouteData does not include {action}.

If a request arrives at an ApiController without an {action} parameter being set in the RouteData, ApiControllerActionSelector uses verb inference (with FindActionsForVerb()) only. While this mostly makes sense, it means that actions decorated with a [ActionName] can still be invoked by a request coming in

Thus, with routes like:
    name: "DefaultApi",
    routeTemplate: "api/{controller}/{id}",
    defaults: new { id = RouteParameter.Optional }
And an action like this in addition to your usual Post() action:
public String Activate(User doofus) {
     // (I assume that complex POCO types as a parameter automatically infers [HttpPost]).
     return "Posted!";
Invoking "POST http://localhost:3000/api/users" may thusly end up invoking my Activate() action up there rather than my conventional Post() action, which is clearly not intended.

I propose that ApiControllerActionSelector.FindActionsForVerbWorker() excludes any actions that have an [ActionName] attribute on them. What do you guys think?
Closed Apr 25, 2013 at 2:12 AM by youssefm


orospakr wrote Aug 30, 2012 at 12:39 AM

Btw, this is in the "v2-rtm" branch of git. I have not checked if this issue exists in master/elsewhere.

HongmeiG wrote Apr 6, 2013 at 7:12 AM

We will address this.

youssefm wrote Apr 24, 2013 at 7:30 PM

Changing this behavior would be a breaking change.

youssefm wrote Apr 25, 2013 at 2:11 AM

This would be a breaking change because valid URIs that work today would just stop working in a future version. So if someone was relying on POST http://localhost:3000/api/users calling Activate above, action selection would just fail if we changed the behavior.