c# WebApi Attribute Authorization

Question

I have a code written by an external programmer. The project is a WebApi. I don't know how the authorization happens. An attribute above my controller method makes this happen I think. But I don't understand how the authorization actually happens. Example of a controller method:

    [HttpGet]
    [Route("organizationunits/{entity}/{type}")]
    [MDLAuthorize(Actions.Read)]
    public async Task<IHttpActionResult> GetEntities(string entity, string type)
    {//some code}

The MDLAuthorize attribute specifies a method. And I think somehow the IsAuthorized method is called.

public class MDLAuthorize : AuthorizeAttribute
{
    private string _action;

    public MDLAuthorize(string action)
        : base()
    {
        _action = action;
    }

    protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        try
        {
            if (String.IsNullOrEmpty(_action))
                return false;

            var baseAuthorized = base.IsAuthorized(actionContext);

            string activity = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName;
            if (actionContext.RequestContext.Principal == null ||
                actionContext.RequestContext.Principal.Identity == null)
            {
                //no principal, no fun.
                return false;
            }
            else
            {
                string username = actionContext.RequestContext.Principal.Identity.Name;
                bool isAuthorized = Security.HasPermission(username, activity, _action);
                return isAuthorized;
            }
        }
        catch (Exception ex)
        {
            MDLApiLog.Error(ex);
            return false;
        }
    }
}

I don't know if needed for my question, but this is the AuthorizeAttribute class

    //
// Summary:
//     Specifies the authorization filter that verifies the request's System.Security.Principal.IPrincipal.
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : AuthorizationFilterAttribute
{
    //
    // Summary:
    //     Initializes a new instance of the System.Web.Http.AuthorizeAttribute class.
    public AuthorizeAttribute();

    //
    // Summary:
    //     Gets or sets the authorized roles.
    //
    // Returns:
    //     The roles string.
    public string Roles { get; set; }
    //
    // Summary:
    //     Gets a unique identifier for this attribute.
    //
    // Returns:
    //     A unique identifier for this attribute.
    public override object TypeId { get; }
    //
    // Summary:
    //     Gets or sets the authorized users.
    //
    // Returns:
    //     The users string.
    public string Users { get; set; }

    //
    // Summary:
    //     Calls when an action is being authorized.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    //
    // Exceptions:
    //   T:System.ArgumentNullException:
    //     The context parameter is null.
    public override void OnAuthorization(HttpActionContext actionContext);
    //
    // Summary:
    //     Processes requests that fail authorization.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    protected virtual void HandleUnauthorizedRequest(HttpActionContext actionContext);
    //
    // Summary:
    //     Indicates whether the specified control is authorized.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    //
    // Returns:
    //     true if the control is authorized; otherwise, false.
    protected virtual bool IsAuthorized(HttpActionContext actionContext);
}

Answer 1

Any attribute that inherits AuthorizeAttribute will have its IsAuthorized() method invoked at the time of the request. The body of that method in your derived attribute is using the Security.HasPermission() method to check if the user is able to perform that operation.