In this quick article, I will tell you the problem that filter overrides is trying to solve(with an example). I will also show you a quick fix of a bug that I found in ASP.NET MVC 5 regarding filter overrides.

Description:

Let say you have an Authorize filter applied on a controller and a action

[Authorize(Roles = "PowerUsers")]
public class AController : ApiController
{   

    // GET api/api
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }
    [Authorize(Roles = "Admin")]
    // GET api/api/5
    public string Get(int id)
    {
        return "value";
    }
}

Now you want that all actions of above controller should only run when the user is in PowerUsers role except for second Get method which requires an Admin role. Before ASP.NET MVC 5 and ASP.NET Web API 2, it was not possible to achieve this(without using a dirty hack). But the current version make this a piece of cake, using OverrideAuthorizationAttribute. Just put this attribute on the second Get action above and then you are done. For the further understanding of this, just use this controller and custom authorize filter,

public class MyAuthorizeAttribute : AuthorizeAttribute
   {
       string name;
       public MyAuthorizeAttribute(string s)
       {
           name = s;
       }
       public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
       {
           base.OnAuthorization(actionContext);
       }
   }
   [MyAuthorize("Controller")]
   public class AController : ApiController
   {
       [MyAuthorize("Action")]
       //[OverrideAuthorization]
       // GET api/api
       public IEnumerable<string> Get()
       {
           return new string[] { "value1", "value2" };
       }
       // GET api/api/5
       public string Get(int id)
       {
           return "value";
       }
   }

Now just put a break-point on MyAuthorizeAttribute constructor and OnAuthorization method. You will find that the constructor is invoked for both action and controller but only the controller's MyAuthorizeAttribute.OnAuthorization(by checking name variable) is called. Now just un-comment the[OverrideAuthorization], you will find that action method's MyAuthorizeAttribute.OnAuthorization is called. When you do the same in MVC 5, it will not work due to a bug(AFAIK) in MVC 5 RC. Hopefully will be fixed in RTM. But for now you can use this hack to make this work in MVC 5 as well. Here is an example,

public class OverrideAuthorizeAttribute : AuthorizeAttribute, IOverrideFilter
   {
       public Type FiltersToOverride
       {
           get { return typeof(IAuthorizationFilter); }
       }
   }
   [Authorize(Users="Admin")]
   public class HomeController : Controller
   {
       [OverrideAuthorize(Users = "Imran Baloch")]
       public ActionResult Index()
       {
           return View();
       }       

       public ActionResult About()
       {
           ViewBag.Message = "Your application description page.";
           return View();
       }

       public ActionResult Contact()
       {
           ViewBag.Message = "Your contact page.";

           return View();
       }
   }

The hack is simply creating a new OverrideAuthorizeAttribute inheriting from AuthorizeAttribute and implementing IOverrideFilter interface and then applying this to the Index action method.