Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AllowAnonymous attribute at action level is ignored in AppendAuthorizeToSummaryOperationFilter

See original GitHub issue

Hello,

There’s the following code, which protects the controller with specific scope, but allows one of the actions to be accessed without any authorization:

    [Authorize("scope.read")]
    public class ItemsController : Controller
    {
        [AllowAnonymous]
        public async Task<IActionResult> Get()
        {
          // do stuff ...
        }
    }

Anyhow, using AppendAuthorizeToSummaryOperationFilter filter, the following is added to GET /Items description: (Auth policies: scope.read).

This does not seem to be a correct behavior, as the action can be accessed with no authorization, meaning the Auth policies should not be displayed either.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
mattfrearcommented, Mar 19, 2018
1reaction
mattfrearcommented, Mar 16, 2018

OK this sounds like a bug so I’ll investigate it when I get a chance.

Read more comments on GitHub >

github_iconTop Results From Across the Web

AllowAnonymous attribute make Authorize ignored
After I peek the authorize code, This part of code make the authorize not working : public virtual void OnAuthorization(AuthorizationContext ...
Read more >
[Allow Anonymous skips all authorization] do not take effect ...
If you combine [AllowAnonymous] and any [Authorize] attribute, the [Authorize] attributes are ignored. For example if you apply [AllowAnonymous] ...
Read more >
Simple authorization in ASP.NET Core
If you combine [AllowAnonymous] and an [Authorize] attribute, the [Authorize] attributes are ignored. For example if you apply [AllowAnonymous] ...
Read more >
Authorization in ASP.NET Core
Please note: If you apply [AllowAnonymous] attribute at the controller level, any [Authorize] attribute attribute on the same controller actions is ignored.
Read more >
Part 70 Authorize and AllowAnonymous action filters in mvc
NET MVC, by default, all the controller action methods are accessible ... AllowAnonymous attribute is used to skip authorization enforced by ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

DescriptionOperationFilter does not work when UseFullTypeNameInSchemaIds is enabled in SwaggerConfig

Next page

Not able to show HttpStatusCode.Created status code