Does the method have to abandon the AuthorizeAttribute class?

Question

Does the method have to abandon the AuthorizeAttribute class?

I have an ApiController class with 10 public methods.

Of these 10 methods, nine require [Authorize(Roles="Admin")] . One that does not do this does not require authorization.

If it were not for this single method that does not require authorization, I would decorate the ApiController [Authorize(Roles="Admin")] class.

Instead of class level, I decorate all nine methods with the same [Authorize(Roles="Admin")] and do not decorate this single method with [Authorize(...)] .

What I don't like about this is that I have to repeat the same [Authorize(Roles="Admin")] nine times.

Is there a way that I can, however, decorate the [Authorize(Roles="Admin")] class and only decorate the only method that [Authorize(Roles="Admin")] should not have with an attribute that means that something like "don't apply class-level action filter for this particular method"?

+8

c # .net asp.net-mvc asp.net-web-api

core May 20, '15 at 2:56 pm

source share

1 answer

Tom chantler · Accepted Answer · 2015-05-20T14:58:53+0000

You can use the [AllowAnonymous] attribute. I did this in the “Login” action when the website was in preview, for example, so that someone could see the “Login” page, but no one could see the rest of the site before logging in. It was a simple solution for the client :-)

In fact, I even wrote a custom attribute that read the parameter from the database, so I could put the site in a “lock” if you understand what I mean.

Does the method have to abandon the AuthorizeAttribute class?

More articles: