Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
hey out there,
we've written a web api controller that we'd like to lock down to users logged into umbraco.
initally we used the 'Securing your API methods' section on https://our.umbraco.org/documentation/Reference/WebApi/ but realsied that this was dealing with 'members' in the site, not admin users.
then we found this:
https://our.umbraco.org/documentation/Reference/WebApi/authorization
looking at 'Authorizing for the back office' it suggests using:
[Umbraco.Web.WebApi.UmbracoAuthorize] public HttpResponseMessage Get([FromUri]string id, [FromUri]string from, [FromUri]string to) {}
which we've tried but this returns 'Authorization has been denied for this request.'
any ideas what we're doing wrong?! seems like 'Umbraco.Web.WebApi.UmbracoAuthorize' should do the trick...
...but it isnt?!
cheers,
jake
ok, did some more digging and answered my own question - so fingers crossed someone else will happen upon this and it'll help them out ;)
the key was to change this:
public class ExportController : UmbracoApiController
to this:
public class ExportController : UmbracoAuthorizedApiController
we've also added the '[IsBackOffice]' attribute to the class - but this doesnt seem to make any difference?
the other thing that changed was the url from this:
/Umbraco/Api/Export/Get/
/Umbraco/BackOffice/Api/Export/Get/
now if i hit the url without being logged into umbraco it returns the 'Authorization has been denied for this request.' which is perfect.
happy days ;)
Thank you Jake - I was missing BackOffice from the URL. It looks like the documentation doesn't include this - and clicking the Edit button returns a 404...
Sorry about the issue with docs + edit button. We're on it!
is working on a reply...
Write your reply to:
Upload image
Image will be uploaded when post is submitted
securing web api for umbraco admin users only?
hey out there,
we've written a web api controller that we'd like to lock down to users logged into umbraco.
initally we used the 'Securing your API methods' section on https://our.umbraco.org/documentation/Reference/WebApi/ but realsied that this was dealing with 'members' in the site, not admin users.
then we found this:
https://our.umbraco.org/documentation/Reference/WebApi/authorization
looking at 'Authorizing for the back office' it suggests using:
which we've tried but this returns 'Authorization has been denied for this request.'
any ideas what we're doing wrong?! seems like 'Umbraco.Web.WebApi.UmbracoAuthorize' should do the trick...
...but it isnt?!
cheers,
jake
ok, did some more digging and answered my own question - so fingers crossed someone else will happen upon this and it'll help them out ;)
the key was to change this:
to this:
we've also added the '[IsBackOffice]' attribute to the class - but this doesnt seem to make any difference?
the other thing that changed was the url from this:
to this:
now if i hit the url without being logged into umbraco it returns the 'Authorization has been denied for this request.' which is perfect.
happy days ;)
cheers,
jake
Thank you Jake - I was missing BackOffice from the URL. It looks like the documentation doesn't include this - and clicking the Edit button returns a 404...
Sorry about the issue with docs + edit button. We're on it!
is working on a reply...