So I'm working on a MVC project in .NET Core 2.1. I use the built in Cookie authentication from ASP.NET Identity.
All my endpoints inside my controller that would require authorization are annotated with [Authorize] of course. But, do my views (that get returned) also need a form of annotation to define they are only accessible for users that are authorized? If that is the case how would you do that?
Checking the authentication or autorization in a .cshtml-View contradicts the MVC-concept in my opinion. When the request hits the "View"-part of MVC there was already a corresponding controller involved which did its job and called the view engine. At this Point you are (or should be) done with handling business logic - and permissions are just another form of business requirement - and present its result the most fabulous way.
So to answer your question concretely:
But, do my views (that get returned) also need a form of annotation to define they are only accessible for users that are authorized?
Since they are only accessible through controllers (or should be), they don't need additional annotations.