Inheritance of Authorized Roles in controller classes

给你一囗甜甜゛ 提交于 2019-12-06 06:46:55

Looking at AttributeUsage attribute of Authorize attribute ;

[AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method, 
    Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter

Inherited= true means that subclasses of the class which decorated with this attribute can inherit this attribute.

AllowMultiple=true means that this attribute can be placed more than once on same entity.

With inherited attributes and allowed usage of same attribute your SalesController can be considered as

[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }

And you can test this at runtime with this code.

var a = typeof(SalesController).GetCustomAttributes(true).ToArray();

First question, will the Owner, Admin and Employee Roles have access to the SalesController? Inherited attributes are separated so they are applied independently.For one user to access SalesController , user must have all roles(owner ,admin ,employee and sales) not one of them.

See the difference between

[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }

and

[Authorize(Roles = "Owner,Admin,Employee,Sales")]
public abstract class SalesController:EmployeeController { }

Second question: If you leave [Authorize] uncommented with same logic AccountController is like

[Authorize(Roles = "Owner")]
[Authorize]
public class AccountController:ControllerAuthorities{}

So it does not override inherited authority just creates multiple usage of authorize attribute because multiple usage is allowed for Authorize attribute. If AllowMultiple were false in Authorize attribute definiton then derived class could override the attribute in base class.

Amirhossein Mehrvarzi

will the Owner, Admin and Employee Roles have access to the SalesController?

No, They can't access to SalesController. Inheritance makes your code like this:

[Authorize(Roles = "Owner")]
public abstract class ControllerAuthorities:Controller { }
[Authorize(Roles = "Admin", "Owner")]
public abstract class AdminController:Controller { }

[Authorize(Roles = "Employee", "Admin", "Owner")]
public abstract class EmployeeController:Controller { }
[Authorize(Roles = "Sales", "Employee", "Admin", "Owner")]
public abstract class SalesController:Controller { }

And since SalesController requires additional role, named Sales won't be accessible. Key to Access SalesController: The user should be in All the mentioned roles.

If I leave the [Authorize] uncommented, will this override the inherited authority Role?

Yes, since AccountController derived from ControllerAuthorities which requires Owner role.

Note that the controllers in MVC are just classes with some additional features to handle requests. There's no difference with class concepts.

Tip : Look at the followings:

  • [Authorize(Roles = "Sales, Employee, Admin, Owner")] allows the user which have one of the roles. In another words, This acts like OR (||) operation.
  • [Authorize(Roles = "Sales", "Employee", "Admin", "Owner")] allows the user which have All of the roles. In another words, This acts like And (&) operation.

The last one is like your question. That's equal to the following too:

[Authorize(Roles = "Owner")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Sales")]

For more clarification than this! see How to authorize a set of controllers without placing the annotation on each one?

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!