Reputation: 175
.netcore override controllerlevel Authorizeattribute on single action method
In the controllercode below only users who are in the "Administrator" role can accesss the GetData() action method, because of the controllerlevel Authorizeattribute. But I also want users who only are in "Manager" role to have access to the GetData() action method, how to write a custom attribute for this?
[Authorize(Roles = "Administrator")]
Pulic class AdminController : Controller
{
[Authorize(Roles = "Administrator, Manager")]
public IActionResult GetData()
{
}
}
Upvotes: 3
Views: 2913
Answers (2)
Reputation: 979
In the startup.cs file, add the Authorization as follows:
services.AddAuthorization(options =>
{
var roles = new List<string>{ Role.Administrator, Role.Manager};
var requirement =
new List<IAuthorizationRequirement> {new AdminManagerAuthorizationOverrideOthers(roles) };
var sharedAuthentication =
new AuthorizationPolicy(requirement,
new List<string>());
options.AddPolicy(name: "AdminManager", policy: sharedAuthentication);
options.AddPolicy(name: "Administrator", configurePolicy: policy => policy.RequireAssertion(e =>
{
if (e.Resource is AuthorizationFilterContext afc)
{
var noPolicy = afc.Filters.OfType<AuthorizeFilter>().Any(p =>
p.Policy.Requirements.Count == 1 &&
p.Policy.Requirements.Single() is AdminManagerAuthorizationOverrideOthers);
if (noPolicy)
return true;
}
return e.User.IsInRole(Role.Administrator);
}));
});
Create a class in any namespace that Inherits "RolesAuthorizationRequirement" from "Microsoft.AspNetCore.Authorization.Infrastructure" namespace as follows:
public class AdminManagerAuthorizationOverrideOthers : RolesAuthorizationRequirement
{
public AdminManagerAuthorizationOverrideOthers(IEnumerable<string> allowedRoles) : base(allowedRoles)
{
}
}
Then, decorate the controller and action method as follows:
[Authorize(Policy = "Administrator")]
Public class AdminController : Controller
{
public IActionResult GetData()
{
}
[Authorize(Policy = "AdminManager")]
public IActionResult AdministratorOnly()
{
}
}
Upvotes: 1
Reputation: 24136
The class-level attribute is always checked first, so it denies anyone who is not in the right role. You need to specify the widest access at class level, then narrow it down on method level where needed:
[Authorize(Roles = "Administrator, Manager")]
public class AdminController : Controller
{
// no attribute needed here
public IActionResult GetData()
{
}
[Authorize(Roles = "Administrator")]
public IActionResult RestrictedMethod()
{
}
}
Upvotes: 2
Related Questions
- Overriding controller AuthorizeAttribute for just one action
- OverrideAuthorizationAttribute in ASP.NET 5
- OverrideAuthorization attribute in .NETCore
- .NET Core override controller level Authorize attribute for a specific action
- Overriding AuthorizeCore in custom Authorize attribute results in "no suitable method found to override" error
- How override the global AuthorizeAttribute when add same AuthorizeAttribute for some Action MVC?
- Overriding AuthorizeAttribute in MVC 4
- Extend AuthorizeAttribute Override AuthorizeCore or OnAuthorization
- Overriding AuthorizeCore from AuthorizeAttribute is not being invoked
- ASP.Net MVC: Can the AuthorizeAttribute be overriden?