diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs
index 9c20313b84b7..84af3b50d1f4 100644
--- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs	
@@ -41,6 +41,14 @@ public ActionResult Delete4(int id)
         doThings();
         return View();
     }
+
+    // GOOD: The Authorize attribute is used.
+    [Authorize("foo")]
+    public ActionResult Delete5(int id)
+    {
+        doThings();
+        return View();
+    }
 }
 
 [Authorize]