In ASP.NET MVC, we manipulate Views, among other things. Some of these Views represent full pages and some are just page parts. These parts or areas belonging to a view are called partial views, and they are also returned by controller actions. Since these partial views should only be used within a view, the ASP.NET MVC framework allows us to protect any call to these partial actions by decorating them with the ChildActionOnly attribute. This attribute makes sure that the action:
- cannot be used as an entire view and the application developers will always run it using the HtmHelper.Action or HtmlHelper.RenderAction methods.
- has a URL that will not be accessible via the address bar, if a user somehow becomes aware of the existence of this URL.
However, as with any dynamic site, we will have AJAX requests that can also make requests for HTML content without having to load the page completely. This content also represents a part, and when we receive the response from the web server we have to embed this piece of HTML somewhere in the page. The AJAX request sent to the server will certainly invoke a controller action. This action, like those marked with the ChildActionOnly attribute, must have these constraints:
- should only go through AJAX requests.
- inaccessible via the browser address bar.
But the ASP.NET MVC framework does not offer any attributes that allow us to apply these restrictions to an action, but it gives us the tools to create them....