question

Oct 9, 2013 at 12:14 PM
hi
I have very controller
but some control must have authorize and in control some action must be Annonymous
for example
      <controller name="Comments" roles="Admin">
        <actions>
          <action name="delete" roles="Admin2"/>
          <action name="GetFatherCommentPost" roles="Annonymous"/>
          <action name="GetChidCommentPost" roles="Annonymous"/>
          <action name="Create2" roles="Annonymous"/>
        </actions>
I want all action spicify by role Annonymous must be free and other action have roles !
how can doing?
thankhs
Coordinator
Jun 21, 2014 at 12:07 AM
Edited Jun 21, 2014 at 12:19 AM
Copying this to a work item to add in the ability to ignore inherited roles.

For this simple scenario you can leave the roles empty on everything except the delete action and specify "Admin" for the delete action.
<controller name="Comments">
        <actions>
          <action name="delete" roles="Admin"/>
          <action name="GetFatherCommentPost" />
          <action name="GetChidCommentPost" />
          <action name="Create2" />
        </actions>
This will allow anyone with the Admin role access. If you want the admin AND Admin2 roles to be required when authorizing, this is not currently supported directly through configuration. However, you can write a custom policy that will enforce this. See the documentation on how to do this:

https://mvcauthorization.codeplex.com/documentation
Coordinator
Jun 21, 2014 at 12:19 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.