T4Mvc generated classes accessible to User (browser)

Dec 11, 2013 at 4:25 PM
I'm using T4MVC with an ASP.NET MVC4 project. Today I looked into the generated code and saw that T4MVC generates a class that extends my Controller:
public partial class T4MVC_TestController : NormalT4mvcTest.Controllers.TestController
    {
        public T4MVC_TestController() : base(Dummy.Instance) { }

        partial void IndexOverride(T4MVC_System_Web_Mvc_ActionResult callInfo);

        public override System.Web.Mvc.ActionResult Index()
        {
            var callInfo = new T4MVC_System_Web_Mvc_ActionResult(Area, Name, ActionNames.Index);
            IndexOverride(callInfo);
            return callInfo;
        }

    }
When using the url: 'http://localhost:51103/T4MVC_Test/Index'. the browser executes the code in the generated controller. Is this known? If so why is this not disabled and how can I disable it.
Coordinator
Dec 11, 2013 at 4:59 PM
Good find, that's definitely not deliberate! It happens because MVC finds all classes that extend Controller. I don't think it exposes and scary vulnerabilities, but it's definitely quirky.

I wonder if there is some attribute that can be put on the class so MVC ignores it.
Jan 28, 2014 at 2:17 PM
It appears that spraying [NonAction] attributes fixes this - i've a local version of the .tt file that does this.

I'll fork and commit this as a solution
Coordinator
Jan 29, 2014 at 12:42 AM
Perfect, thanks! The fix is in.