I'm currently creating a WebApi to get/edit/delete some data. The "get" route must be accessible for back office users and for anonymous users. However, the "edit" and "delete" routes must only be accessible for back office users.
After reading this post, it seemed to me that I could do something like this:
public class HolidayController : UmbracoApiController
{
[HttpPost]
[UmbracoAuthorize]
public JsonResult
[HttpDelete]
[UmbracoAuthorize]
public JsonResult<bool> Delete(int id)
{
...
}
public JsonResult<object> GetAll()
{
...
}
public JsonResult<object> GetAllFromCurrentYear()
{
...
}
}
So basically, have an "unsecure" API controller with some "secured" route. However, it does not seem to work. Indeed, when "UmbracoAuthorize" is applied on a route, it becomes unavailable, even when I'm logged in in the backoffice (Note that even though in my example it is applied on a POST route, I did my test by applying the attribute on a GET route, but it should not change anything).
I have another solution in mind that consists in splitting the controller in two. One inheriting from "UmbracoApiController" and the other intheriting from "UmbracoAuthorizedApiController". I think it would work but I'd rather keep everything in one single class.
I just tried creating a simple property editor through which I could call a couple of WebApi actions from a controller which extended from UmbracoApiController. Decorated one action with UmbracoAuthorize attribute and the other one was left to default.
public class TestEditorController : UmbracoApiController
{
[HttpPost]
public List<string> HandlePost(TestModel model)
{
List<string> result = new List<string>();
if (ModelState.IsValid)
{
result.Add(model.Text1);
result.Add(model.Text2);
return result;
}
result.Add("Error");
return result;
}
[HttpGet]
[UmbracoAuthorize]
public string TestGet()
{
return string.Format("some string");
}
}
When I tried accessing the actions from the backoffice, the moment control hit the Get() action decorated with UmbracoAuthorize attribute, I was bombed out of the backoffice with an authorization 401 error in the console.
I then reversed it as you can see below,
public class TestEditorController : UmbracoAuthorizedApiController
{
[HttpPost]
[AllowAnonymous]
public List<string> HandlePost(TestModel model)
{
List<string> result = new List<string>();
if (ModelState.IsValid)
{
result.Add(model.Text1);
result.Add(model.Text2);
return result;
}
result.Add("Error");
return result;
}
[HttpGet]
public string TestGet()
{
return string.Format("some string");
}
}
This seems to work fine, I checked the post request on Postman to make sure it worked for anonymous users.
The protected one on the other hand doesn't work from Postman as expected but does work from the backoffice,
Perhaps this could be used as a solution in case we don't want to create two different ApiControllers one to be securely accessed from the backoffice and one anonymously anywhere?
UmbracoAuthorize behavior
Hi,
I'm currently creating a WebApi to get/edit/delete some data. The "get" route must be accessible for back office users and for anonymous users. However, the "edit" and "delete" routes must only be accessible for back office users.
After reading this post, it seemed to me that I could do something like this:
public class HolidayController : UmbracoApiController { [HttpPost] [UmbracoAuthorize] public JsonResult
}
So basically, have an "unsecure" API controller with some "secured" route. However, it does not seem to work. Indeed, when "UmbracoAuthorize" is applied on a route, it becomes unavailable, even when I'm logged in in the backoffice (Note that even though in my example it is applied on a POST route, I did my test by applying the attribute on a GET route, but it should not change anything).
I have another solution in mind that consists in splitting the controller in two. One inheriting from "UmbracoApiController" and the other intheriting from "UmbracoAuthorizedApiController". I think it would work but I'd rather keep everything in one single class.
I just tried creating a simple property editor through which I could call a couple of WebApi actions from a controller which extended from UmbracoApiController. Decorated one action with
UmbracoAuthorizeattribute and the other one was left to default.When I tried accessing the actions from the backoffice, the moment control hit the
Get()action decorated withUmbracoAuthorizeattribute, I was bombed out of the backoffice with an authorization 401 error in the console.I then reversed it as you can see below,
This seems to work fine, I checked the post request on Postman to make sure it worked for anonymous users.
The protected one on the other hand doesn't work from Postman as expected but does work from the backoffice,
Perhaps this could be used as a solution in case we don't want to create two different ApiControllers one to be securely accessed from the backoffice and one anonymously anywhere?
Nice, I'm going to try that right away and mark your answer if it works.
Although, you have to admit that the initial way should be working (or the documentation should be adapted).
Thanks ;-)
is working on a reply...