Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Anders Grahn 14 posts 94 karma points
    Aug 30, 2013 @ 15:32
    Anders Grahn
    0

    Using MemberAuthorize AllowedGroup never denies

    Hello I'm having an issue with adding authentication to my UmbracoApiController for frontend member authentication, and I hope someone in here has any insight into this Running Umbraco 6.1.4, I have a membergroup whom should be the only ones able to access APImethods. Following (as far as I can tell http://our.umbraco.org/documentation/Reference/WebApi/authorization I setup of controller methods are as shown below

    public class CompanyApiController : UmbracoApiController
    {
        [HttpPost]
        [Umbraco.Web.WebApi.MemberAuthorize(AllowGroup = "MemberGroupName")]
        public HttpResponseMessage MethodName(SearchModel model)
        {
            //DO stuff
        }
    }
    

    My problem is this: Setting AllowGroup and attempting to access the method as a member not part of that group will still fire the method and return as if authenticated. Using AllowedMembers or AllowedType works fine and denies unauthorized requests but this solution uses MemberGroups/MembershipRoles so using AllowedType is not an option.

    Thanks in advance, Anders

  • Charles Afford 1163 posts 1709 karma points
    Aug 31, 2013 @ 14:01
    Charles Afford
    0

    Hi Anders why are you having to set permissions on API methods?

    Have you ensure that the group name is correct and the member trying to access it is not part of the group (i know you prob have its just easly done)  Charllie

  • Andy Butland 362 posts 1954 karma points MVP 3x c-trib
    Aug 31, 2013 @ 17:57
    Andy Butland
    100

    This looks like a bug to me having looked at the relevent source code.  I've created an issue and noted in the comments the resolution so hopefully that'll get sorted for an upcoming release.

    Andy

  • Anders Grahn 14 posts 94 karma points
    Sep 02, 2013 @ 09:24
    Anders Grahn
    0

    Thanks for the replies, I had indeed made sure the spelling and roleproperties, but some additional testing also pointed us towards it being an actual bug, so we grabbed Andy's solution and it works great :)

Please Sign in or register to post replies

Write your reply to:

Draft