This repository has been archived by the owner on Dec 9, 2022. It is now read-only.
Inherit AuthorizeAttribute so 3rd parties can identify FluentSecurity as an authorization component #73
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…y libraries can identify FluentSecurity as an MVC security component without making a special case.
…uthorizeAttribute so they cannot be seen or misused.
|
Thanks for the pull-request. I've added some comment about this to the original issue (#72: Why doesn't HandleSecurityAttribute inherit AuthorizeAttribute?) |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As mentioned in #72, MvcSiteMapProvider can automatically pick up the authorization settings from FluentSecurity if it inherits AuthorizeAttribute.
Per this post, there are many built-in types in the MVC framework (and potentially by 3rd parties) that implement IAuthorizationFilter (including Controller), and most of these types do not provide any authorization capability. The only positive way to identify that a component is for MVC authorization is if it inherits AuthorizeAttribute. Since that is exactly what FluentSecurity does, it should inherit AuthorizeAttribute.
Although, admittedly on your side of the fence this looks a little like a hack because of the hidden properties, this fix creates the ideal scenario.
Do note that I put the property hiding in a separate commit in case you want to do it another way. Also note that the Order, Roles, and Users properties are only hidden if you access the library from another solution, but they are visible within the FluentSecuirty solution. If desired, you could also hide the protected members of AuthorizeAttribute so they aren't visible to inheritors of HandleSecurityAttribute.
This change is completely backward compatible with the current implementation.
I tested it with MvcSiteMapProvider and it is working. I also verified the build script is working.