Assume access not granted

Feb 6, 2013 at 2:33 PM
Edited Feb 6, 2013 at 3:59 PM
OK I think I'm getting my head around this a bit more now.

One concept I know some projects are doing now is assuming that authorization is required unless explicitly stated. As this more security fail safe.

At present if you don't specify a role on a controller/action access is given.

I was thinking possibly editing IsAuthorized in ExtenstionMethods to work as follows:
    if (descriptor.Roles != null && descriptor.Roles.Contains("Annonymous"))
            {            
                return true;
            }

            if (descriptor == null || descriptor.Roles == null || descriptor.Roles.Count == 0)
            {
                return false;
            }
I then also found the need to change the AuthorizationProvider to use OR instead of AND as follows:
  public bool IsAuthorizedAction(string controllerName, string actionName, string areaName = null)
        {
            ...
            // Return auth
            return area.IsAuthorized() || controller.IsAuthorized() || action.IsAuthorized();
        }
and
public bool IsAuthorizedController(string controllerName, string areaName = null)
        {
            ...
            // Return auth
            return area.IsAuthorized() || controller.IsAuthorized();
        }
Coordinator
Jul 18, 2013 at 3:30 AM
Edited Jul 18, 2013 at 3:31 AM
In version 2 you can have this happen with policies:

,,,
<mvcAuthorization>
<policies>
  <policy name="DenyNoRoleAccess" />
  <policy name="DenyAnonymousAccess" />
</policies>
  ---
   <controller name="Account">
        <actions>
          <action name="LogOn">
            <policies>
              <policy ignoreInherited="true" name="DenyNoRoleAccess" /> <!-- Allow no role access for Login action -->
              <policy ignoreInherited="true" name="DenyAnonymousAccess" />  <!-- Allow anonymous access for Login action -->
            </policies>
          </action>

<mvcAuthorization>
Jul 18, 2013 at 8:35 AM
Excellent thanks