diff --git a/src/Microsoft.AspNet.Authorization/AuthorizationHandler.cs b/src/Microsoft.AspNet.Authorization/AuthorizationHandler.cs index f5418841ab..84e0160fee 100644 --- a/src/Microsoft.AspNet.Authorization/AuthorizationHandler.cs +++ b/src/Microsoft.AspNet.Authorization/AuthorizationHandler.cs @@ -40,10 +40,12 @@ namespace Microsoft.AspNet.Authorization { public virtual async Task HandleAsync(AuthorizationContext context) { - var resource = context.Resource as TResource; - foreach (var req in context.Requirements.OfType()) + if (context.Resource is TResource) { - await HandleAsync(context, req, resource); + foreach (var req in context.Requirements.OfType()) + { + await HandleAsync(context, req, (TResource)context.Resource); + } } } diff --git a/test/Microsoft.AspNet.Authorization.Test/DefaultAuthorizationServiceTests.cs b/test/Microsoft.AspNet.Authorization.Test/DefaultAuthorizationServiceTests.cs index 3ee2e547c5..3b5d68360f 100644 --- a/test/Microsoft.AspNet.Authorization.Test/DefaultAuthorizationServiceTests.cs +++ b/test/Microsoft.AspNet.Authorization.Test/DefaultAuthorizationServiceTests.cs @@ -813,6 +813,35 @@ namespace Microsoft.AspNet.Authorization.Test Assert.True(await authorizationService.AuthorizeAsync(user, null, Operations.Create)); } + public class NotCalledHandler : AuthorizationHandler + { + protected override void Handle(AuthorizationContext context, OperationAuthorizationRequirement requirement, string resource) + { + throw new NotImplementedException(); + } + } + + [Fact] + public async Task DoesNotCallHandlerWithWrongResourceType() + { + // Arrange + var authorizationService = BuildAuthorizationService(services => + { + services.AddTransient(); + }); + var user = new ClaimsPrincipal( + new ClaimsIdentity( + new Claim[] { + new Claim("SuperUser", "yes") + }, + "AuthType") + ); + + // Act + // Assert + Assert.False(await authorizationService.AuthorizeAsync(user, 1, Operations.Edit)); + } + [Fact] public async Task CanAuthorizeOnlyAllowedOperations() { @@ -820,15 +849,29 @@ namespace Microsoft.AspNet.Authorization.Test var authorizationService = BuildAuthorizationService(services => { services.AddInstance(new ExpenseReportAuthorizationHandler(new OperationAuthorizationRequirement[] { Operations.Edit })); - services.AddTransient(); }); var user = new ClaimsPrincipal(); // Act // Assert - Assert.True(await authorizationService.AuthorizeAsync(user, null, Operations.Edit)); - Assert.False(await authorizationService.AuthorizeAsync(user, null, Operations.Delete)); - Assert.False(await authorizationService.AuthorizeAsync(user, null, Operations.Create)); + Assert.True(await authorizationService.AuthorizeAsync(user, new ExpenseReport(), Operations.Edit)); + Assert.False(await authorizationService.AuthorizeAsync(user, new ExpenseReport(), Operations.Delete)); + Assert.False(await authorizationService.AuthorizeAsync(user, new ExpenseReport(), Operations.Create)); + } + + [Fact] + public async Task AuthorizeHandlerNotCalledWithNullResource() + { + // Arrange + var authorizationService = BuildAuthorizationService(services => + { + services.AddInstance(new ExpenseReportAuthorizationHandler(new OperationAuthorizationRequirement[] { Operations.Edit })); + }); + var user = new ClaimsPrincipal(); + + // Act + // Assert + Assert.False(await authorizationService.AuthorizeAsync(user, null, Operations.Edit)); } [Fact]