Ninject Authorization vs Action Filter binding order

Question

I have 2 filters I'm trying to apply using Ninject's BindFilter<> syntax, and they are being applied with their dependency injection successfully. The problem lies in the fact that the one sorts out who the current user is and binds that InRequestScope, and has to run before the second one when checking for maintenance authorization - otherwise it doesn't know which user you're referring to.

The filter binding in NinjectWebCommon.cs looks like this:

kernel.BindFilter<CurrentUserFilter>(FilterScope.Global, 0).InRequestScope();
kernel.BindFilter<SetupRightsAttribute>(FilterScope.Controller, 1).WhenControllerType<MaintenanceController>().InRequestScope();

So in the Maintenance controller, I'm wanting the first one to run and then the second; in everything else just the first one - and this works, the second one is only used when browsing to something in my Maintenance controller.

The 2 filters are declared as such (irrelevant details excluded)

public class CurrentUserFilter : IActionFilter
{
    public void OnActionExecuting(ActionExecutingContext filterContext)
    // implementation - breakpoint 1
}

public class SetupRightsAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    // implementation - breakpoint 2
}

I'm expecting breakpoint 1 to be hit and then breakpoint 2, but for some reason it's always breakpoint 2 first - and because it doesn't know the user at this point it tells me I have no authorization.

I have tried many different permutations of FilterScope and order settings, even binding them in a different order, but nothing works...what am I doing wrong?

Answer 1

Authorization filters are executed before action filters, because authorization is earlier in the MVC execution pipeline than processing the action.