Removing AuthorizationFilterAttribute as we do not want users to easily create their own authorization implementation. They should instead

use authorization policies and requirements(IAuthorizationRequirement) to enforce authorization.
[Fixes #4233] AuthorizationFilterAttribute returns UnauthorizedResult rather than ChallengeResult
This commit is contained in:
Kiran Challa 2016-03-29 12:31:07 -07:00
parent e1abb47b98
commit e0212752e5
5 changed files with 26 additions and 62 deletions

View File

@ -1,53 +0,0 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.AspNetCore.Mvc.Internal;
namespace Microsoft.AspNetCore.Mvc.Filters
{
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public abstract class AuthorizationFilterAttribute :
Attribute, IAsyncAuthorizationFilter, IAuthorizationFilter, IOrderedFilter
{
public int Order { get; set; }
public virtual Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
OnAuthorization(context);
return TaskCache.CompletedTask;
}
public virtual void OnAuthorization(AuthorizationFilterContext context)
{
}
protected virtual bool HasAllowAnonymous(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
return context.Filters.Any(item => item is IAllowAnonymousFilter);
}
protected virtual void Fail(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
context.Result = new UnauthorizedResult();
}
}
}

View File

@ -1,6 +1,7 @@
// Copyright (c) .NET Foundation. All rights reserved. // Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Reflection; using System.Reflection;
using System.Security.Claims; using System.Security.Claims;
using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http;
@ -9,9 +10,9 @@ using Microsoft.AspNetCore.Mvc.Filters;
namespace FiltersWebSite namespace FiltersWebSite
{ {
public class AuthorizeUserAttribute : AuthorizationFilterAttribute public class AuthorizeUserAttribute : Attribute, IAuthorizationFilter
{ {
public override void OnAuthorization(AuthorizationFilterContext context) public virtual void OnAuthorization(AuthorizationFilterContext context)
{ {
var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor; var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor;
if (controllerActionDescriptor.MethodInfo == if (controllerActionDescriptor.MethodInfo ==

View File

@ -1,13 +1,17 @@
// Copyright (c) .NET Foundation. All rights reserved. // Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Linq;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.AspNetCore.Mvc.Filters;
namespace FiltersWebSite namespace FiltersWebSite
{ {
public class BlockAnonymous : AuthorizationFilterAttribute public class BlockAnonymous : Attribute, IAuthorizationFilter
{ {
public override void OnAuthorization(AuthorizationFilterContext context) public void OnAuthorization(AuthorizationFilterContext context)
{ {
if (!HasAllowAnonymous(context)) if (!HasAllowAnonymous(context))
{ {
@ -19,9 +23,20 @@ namespace FiltersWebSite
if (userIsAnonymous) if (userIsAnonymous)
{ {
base.Fail(context); context.Result = new UnauthorizedResult();
} }
} }
} }
private bool HasAllowAnonymous(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
return context.Filters.Any(item => item is IAllowAnonymousFilter);
}
} }
} }

View File

@ -1,6 +1,7 @@
// Copyright (c) .NET Foundation. All rights reserved. // Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Reflection; using System.Reflection;
using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc.Controllers; using Microsoft.AspNetCore.Mvc.Controllers;
@ -8,9 +9,9 @@ using Microsoft.AspNetCore.Mvc.Filters;
namespace FiltersWebSite namespace FiltersWebSite
{ {
public class GlobalAuthorizationFilter : AuthorizationFilterAttribute public class GlobalAuthorizationFilter : Attribute, IAuthorizationFilter
{ {
public override void OnAuthorization(AuthorizationFilterContext context) public void OnAuthorization(AuthorizationFilterContext context)
{ {
var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor; var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor;
if (controllerActionDescriptor.MethodInfo == if (controllerActionDescriptor.MethodInfo ==

View File

@ -6,9 +6,9 @@ using Microsoft.AspNetCore.Mvc.Filters;
namespace FiltersWebSite namespace FiltersWebSite
{ {
public class ThrowingAuthorizationFilter : AuthorizationFilterAttribute public class ThrowingAuthorizationFilter : Attribute, IAuthorizationFilter
{ {
public override void OnAuthorization(AuthorizationFilterContext context) public void OnAuthorization(AuthorizationFilterContext context)
{ {
throw new InvalidProgramException("Authorization Filter Threw"); throw new InvalidProgramException("Authorization Filter Threw");
} }