AllowAnonymous can override AuthorizeAttribute

#309
2014-04-28 10:57:20 -07:00 · 2014-04-28 10:57:20 -07:00 · b3046a0285
parent e5aeb738e3
commit b3046a0285
2 changed files with 21 additions and 1 deletions
--- a/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeAttribute.cs
+++ b/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeAttribute.cs
@ -50,7 +50,7 @@ namespace Microsoft.AspNet.Mvc
                    user.Identity == null || 
                    !user.Identity.IsAuthenticated;

-                    if(userIsAnonymous)
+                    if(userIsAnonymous && !HasAllowAnonymous(context))
                    {
                        base.Fail(context);
                    }
--- a/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeAttributeTests.cs
+++ b/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeAttributeTests.cs
@ -45,6 +45,26 @@ namespace Microsoft.AspNet.Mvc.Core.Test
            Assert.NotNull(authorizationContext.Result);
        }

+        [Fact]
+        public async Task Invoke_EmptyClaimsWithAllowAnonymousAttributeShouldNotRejectAnonymousUser()
+        {
+            // Arrange
+            var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
+            var authorizeAttribute = new AuthorizeAttribute();
+            var authorizationContext = GetAuthorizationContext(services => 
+                services.AddInstance<IAuthorizationService>(authorizationService),
+                anonymous: true
+                );
+
+            authorizationContext.Filters.Add(new AllowAnonymousAttribute());
+
+            // Act
+            await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
+
+            // Assert
+            Assert.Null(authorizationContext.Result);
+        }
+
        [Fact]
        public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser()
        {