Lamloumi Afif February 2016

Customizing System.Web.Http.AuthorizeAttribute within asp.net web api application

I'd like to customize System.Web.Http.AuthorizeAttribute class like this :

 public class MyAuthorizeAttribute : System.Web.Http.AuthorizeAttribute
    {

        public PermissionsEnum IsPermitted { get; set; }


        protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            if (System.Web.HttpContext.Current.Session["Role"] == null) return false;
            string rol = (string)System.Web.HttpContext.Current.Session["Role"];

            if (rol == "Admin" || Roles == "Super Admin") IsPermitted = PermissionsEnum.Administration;
            else IsPermitted = PermissionsEnum.Collaboration;
            return base.IsAuthorized(actionContext);
        }
    }

  [Flags]
    public enum PermissionsEnum
    {
        Administration,
        Collaboration
    }

I used it in controller :

[MyAuthorizeAttribute(IsPermitted = PermissionsEnum.Administration  )]
    public class PointageController : Controller
    {
        public ActionResult GraphesEtStatistiques()
        {
            return View();
        }
         [MyAuthorizeAttribute(IsPermitted = PermissionsEnum.Administration)]
        public ActionResult Pointage()
        {
            return View();
        }
        public ActionResult Parametrage()
        {
            return View();
        }
        public ActionResult GetMessages()
        {
            MessagesRepository _messageRepository = new MessagesRepository();
            return PartialView("_MessagesList", _messageRepository.GetAllMessages());
        }
    }

My problem is that I can access to the Pointage view even IsPermitted=PermissionsEnum.Collaboration !!!! .

So :

  1. What is the reason of this problem?
  2. How can I fix it?

Answers


user3709957 February 2016

Above all, if you set [MyAuthorizeAttribute(IsPermitted = PermissionsEnum.Administration )] over your controller(s), this means all actions implemented inside that class will use the same Authorization, even you set other Authorization for each method...

If you want to customize your authorization for each Action you must remove the attribute over all controller(s).

The Authorized Method :

protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        if (System.Web.HttpContext.Current.Session["Role"] == null) return false;
        string rol = (string)System.Web.HttpContext.Current.Session["Role"];

        var userPermittedFlag = (rol == "Admin" || rol == "Super Admin") ? PermissionsEnum.Administration : PermissionsEnum.Collaboration;
        return userPermittedFlag == this.IsPermitted;
    }


K. Alan Bates February 2016

  1. What is the reason of this problem?

Your problem is that your logic within your IsAuthorize method is improper.

  1. How can I fix it?

...set a breakpoint and debug your IsAuthorized method.

From looking at the code you provided, with the way it is currently structured, the IsPermitted property is superfluous. You pass it into the attribute when decorating your controller, but then inside your IsAuthorized method, you do nothing with the injected value. Instead, you set it independently. Then you call the base AuthorizeAttribute's IsAuthorized method, and the base attribute has no concept of your enum.

I can't know for sure if this will solve your domain requirements, but this will at least give you a functional IsAuthorized method that you can build from:

protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        if (System.Web.HttpContext.Current.Session["Role"] == null) return false;
        string role = (string)System.Web.HttpContext.Current.Session["Role"];

        if ((role == "Admin" || role == "Super Admin") //recycling your condition
           && IsPermitted == PermissionsEnum.Administration) return true;

        if ((role == "Collaborator"
           && IsPermitted == PermissionsEnum.Collaborator) return true;

        return false;
    }

Post Status

Asked in February 2016
Viewed 3,959 times
Voted 7
Answered 2 times

Search




Leave an answer