Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • ssougnez 85 posts 289 karma points c-trib
    Nov 09, 2018 @ 09:22
    ssougnez
    0

    UmbracoAuthorize behavior

    Hi,

    I'm currently creating a WebApi to get/edit/delete some data. The "get" route must be accessible for back office users and for anonymous users. However, the "edit" and "delete" routes must only be accessible for back office users.

    After reading this post, it seemed to me that I could do something like this:

    public class HolidayController : UmbracoApiController { [HttpPost] [UmbracoAuthorize] public JsonResult

    [HttpDelete]
    [UmbracoAuthorize]
    public JsonResult<bool> Delete(int id)
    {
        ...
    }
    
    public JsonResult<object> GetAll()
    {
        ...
    }
    
    public JsonResult<object> GetAllFromCurrentYear()
    {
        ...
    }
    

    }

    So basically, have an "unsecure" API controller with some "secured" route. However, it does not seem to work. Indeed, when "UmbracoAuthorize" is applied on a route, it becomes unavailable, even when I'm logged in in the backoffice (Note that even though in my example it is applied on a POST route, I did my test by applying the attribute on a GET route, but it should not change anything).

    I have another solution in mind that consists in splitting the controller in two. One inheriting from "UmbracoApiController" and the other intheriting from "UmbracoAuthorizedApiController". I think it would work but I'd rather keep everything in one single class.

  • Bharani Dharan Jayasuri 11 posts 125 karma points c-trib
    Nov 09, 2018 @ 11:09
    Bharani Dharan Jayasuri
    101

    I just tried creating a simple property editor through which I could call a couple of WebApi actions from a controller which extended from UmbracoApiController. Decorated one action with UmbracoAuthorize attribute and the other one was left to default.

    public class TestEditorController : UmbracoApiController
        {
            [HttpPost]
            public List<string> HandlePost(TestModel model)
            {
                List<string> result = new List<string>();
    
                if (ModelState.IsValid)
                {
                    result.Add(model.Text1);
                    result.Add(model.Text2);
                    return result;
                }
                result.Add("Error");
                return result;
            }
    
            [HttpGet]
            [UmbracoAuthorize]
            public string TestGet()
            {
                return string.Format("some string");
            }
        }
    

    When I tried accessing the actions from the backoffice, the moment control hit the Get() action decorated with UmbracoAuthorize attribute, I was bombed out of the backoffice with an authorization 401 error in the console.

    I then reversed it as you can see below,

     public class TestEditorController : UmbracoAuthorizedApiController
        {
            [HttpPost]
            [AllowAnonymous]
            public List<string> HandlePost(TestModel model)
            {
                List<string> result = new List<string>();
    
                if (ModelState.IsValid)
                {
                    result.Add(model.Text1);
                    result.Add(model.Text2);
                    return result;
                }
                result.Add("Error");
                return result;
            }
    
            [HttpGet]
            public string TestGet()
            {
                return string.Format("some string");
            }
        }
    

    This seems to work fine, I checked the post request on Postman to make sure it worked for anonymous users.

    enter image description here

    The protected one on the other hand doesn't work from Postman as expected but does work from the backoffice,

    enter image description here

    Perhaps this could be used as a solution in case we don't want to create two different ApiControllers one to be securely accessed from the backoffice and one anonymously anywhere?

  • ssougnez 85 posts 289 karma points c-trib
    Nov 09, 2018 @ 12:12
    ssougnez
    1

    Nice, I'm going to try that right away and mark your answer if it works.

    Although, you have to admit that the initial way should be working (or the documentation should be adapted).

    Thanks ;-)

Please Sign in or register to post replies

Write your reply to:

Draft