Restrict BackOffice Web API to Specific back office user
I am building an API Controller that uses a new Section/Application in the umbraco back office to and and edit some configuration information. I was to restrict the API to only specific back office users. I know how to easily restrict the section, but even with the section restricted if you call the API directly in your browser it works.
I tried per the documentation to use the Umbraco.Web.WebApi.UmbracoAuthorizeAttribute but then when the API gets called i get a login screen even though I am already logged in. It seems like maybe this is actually for members. It does work to use the UmbracoAuthorizedApiController to restrict the api to just back office users, but im not sure what to do from there to restrict the API to specific users from there.
I guess my confusion is because the documentation seems to contradict what I see in the code when I try to implement it. My understanding is that I can either inherit from UmbracoAuthorizedApiController or use the Umbraco.Web.WebApi.UmbracoAuthorizeAttribute. The documentation says that the attribute has no parameters. However when I put it in it gives me the options to specify users: this is the feature I need as I want my API to be restricted to specific back office users, not just anyone authenticated to the back office.
When I implement the Umbraco.Web.WebApi.UmbracoAuthorizeAttribute i just get kicked to a logon screen when I try to hit the api even though I allowed my user and my user only to access the api. It looks like this:
[Umbraco.Web.WebApi.UmbracoAuthorize(Users ="Justin")]
public class myApiController : UmbracoApiController {
Am i missing something or can I do the same thing somehow with the UmbracoAuthorizedApiController?
I don't think the UmbracoAuthorize attribute has parameters so inheriting from UmbracoAuthorizedApiController or implementing this attribute on one method will achieve the same result. Essentially ensuring that this is a validated back office user.
At that point a perhaps dirty way to achieve what you want it to query the user as followed within the method.
Thanks!
I was just hoping I was missing something where I wouldn't have to do that. A little odd that the back office authorization controls are less granular than the member controls. Oh well. Appreciate the help.
Restrict BackOffice Web API to Specific back office user
I am building an API Controller that uses a new Section/Application in the umbraco back office to and and edit some configuration information. I was to restrict the API to only specific back office users. I know how to easily restrict the section, but even with the section restricted if you call the API directly in your browser it works. I tried per the documentation to use the Umbraco.Web.WebApi.UmbracoAuthorizeAttribute but then when the API gets called i get a login screen even though I am already logged in. It seems like maybe this is actually for members. It does work to use the UmbracoAuthorizedApiController to restrict the api to just back office users, but im not sure what to do from there to restrict the API to specific users from there.
If your ApiController inherits from an UmbracoAuthorizedApiController it should work as expected.
I guess my confusion is because the documentation seems to contradict what I see in the code when I try to implement it. My understanding is that I can either inherit from UmbracoAuthorizedApiController or use the Umbraco.Web.WebApi.UmbracoAuthorizeAttribute. The documentation says that the attribute has no parameters. However when I put it in it gives me the options to specify users: this is the feature I need as I want my API to be restricted to specific back office users, not just anyone authenticated to the back office.
When I implement the Umbraco.Web.WebApi.UmbracoAuthorizeAttribute i just get kicked to a logon screen when I try to hit the api even though I allowed my user and my user only to access the api. It looks like this:
Am i missing something or can I do the same thing somehow with the UmbracoAuthorizedApiController?
I don't think the UmbracoAuthorize attribute has parameters so inheriting from UmbracoAuthorizedApiController or implementing this attribute on one method will achieve the same result. Essentially ensuring that this is a validated back office user.
At that point a perhaps dirty way to achieve what you want it to query the user as followed within the method.
Thanks! I was just hoping I was missing something where I wouldn't have to do that. A little odd that the back office authorization controls are less granular than the member controls. Oh well. Appreciate the help.
is working on a reply...