locked
Web API Route and Permission Attribute RRS feed

  • Question

  • Hi,

    I want to be able to stop being able access a web api method from a given feature. So if they don't have the reporting feature, you won't be able to call it. My code that I have so far is:

    API Method:

     [HttpGet]
            [Route("getallreports")]
            [PermissionSet(SecurityAction.Demand, Name = "FullTrust")]
            [FeaturePermission(SecurityAction.Demand, Feature = Features.Reporting, DemandAny = true)]
            public string GetAllReports()
            {
                var data = dataarm.GetReports();
    }


    Feature Permission Attribute Class:

    [Serializable, AttributeUsage(AttributeTargets.Method | AttributeTargets.Constructor | AttributeTargets.Struct | AttributeTargets.Method | AttributeTargets.Assembly, AllowMultiple = false, Inherited = false)]
        public sealed class FeaturePermissionAttribute : CodeAccessSecurityAttribute
        {
            private Features feature;
            private bool demandany;
    
            public Features Feature { get { return feature; } set { feature = value; } }
    
            public Boolean DemandAny { get { return demandany; } set { demandany = value; } }
    
            public FeaturePermissionAttribute(SecurityAction action)
                : base(action) { }
    
            public override IPermission CreatePermission()
            {
                if (Unrestricted)
                    return new FeaturePermission(PermissionState.Unrestricted);
                else
                    return new FeaturePermission(feature, demandany);
            }
        }

    Feature Permission Class:

    public class FeaturePermission : IPermission, IUnrestrictedPermission
        {
            private Features features = Features.None;
            private bool demand_any = false;
            private bool unrestricted = true;
            DataArm data_arm = new DataArm();
    
    
            public Features Feature
            {
                get { return features; }
            }
    
            public bool DemandAny
            {
                get { return demand_any; }
            }
    
            public FeaturePermission(bool unrestricted)
            {
                if (unrestricted)
                {
                    this.features = Features.All;
                    this.demand_any = false;
                    this.unrestricted = true;
                }
                else
                {
                    this.features = Features.None;
                    this.demand_any = false;
                }
            }
    
            public FeaturePermission(Features features) : this(features, false)
            {
            }
    
            public FeaturePermission(Features features, bool demandany)
            {
                this.features = features;
                this.demand_any = demandany;
            }
    
            public FeaturePermission(PermissionState state)
            {
                if (state == PermissionState.Unrestricted)
                {
                    this.features = Features.All;
                    this.demand_any = false;
                    this.unrestricted = true;
                }
                else
                {
                    this.features = Features.None;
                    this.demand_any = false;
                }
            }
    
            public Boolean TryDemand()
            {
                if (IsUnrestricted())
                    return true;
    
    
                var settings = data_arm.GetSettings(false);
    
    
                if (settings.License == null || !settings.License.HasFeature(features, demand_any))
                    return false;
                else
                    return true;
            }
    
            #region IPermission Members
            public IPermission Copy()
            {
                if (unrestricted)
                    return new FeaturePermission(true);
                else
                    return new FeaturePermission(features, demand_any);
            }
    
            public IPermission Intersect(IPermission target)
            {
                if (target == null)
                    return null;
    
                FeaturePermission permission = target as FeaturePermission;
                if (permission == null)
                    throw new ArgumentException("Cannot cast target permission type.", "target");
    
                if (IsUnrestricted() && permission.IsUnrestricted())
                    return new FeaturePermission(true);
    
                return new FeaturePermission(features & permission.features, demand_any & permission.demand_any);
            }
    
            public Boolean IsSubsetOf(IPermission target)
            {
                if (target == null)
                    return (features == Features.None);
    
                FeaturePermission permission = target as FeaturePermission;
                if (permission == null)
                    throw new ArgumentException("Cannot cast target permission type.", "target");
    
                return ((features & ~permission.features) == Features.None);
            }
    
            public IPermission Union(IPermission target)
            {
                if (target == null)
                    return Copy();
    
                FeaturePermission permission = target as FeaturePermission;
                if (permission == null)
                    throw new ArgumentException("Cannot cast target permission type.", "target");
    
                if (IsUnrestricted() || permission.IsUnrestricted())
                    return new FeaturePermission(true);
    
                return new FeaturePermission(features | permission.features, demand_any | permission.demand_any);
            }
    
            public void Demand()
            {
                if (!TryDemand())
                    throw new LicenseConstraintException();
            }
            #endregion
    
    
            #region IUnrestrictedPermission Members
            public Boolean IsUnrestricted()
            {
                return unrestricted;
            }
            #endregion
    
            #region ISecurityEncodable Members
            public void FromXml(SecurityElement e)
            {
                String __unrestricted = e.Attributes["Unrestricted"] as String;
                if (__unrestricted != null)
                {
                    unrestricted = Convert.ToBoolean(__unrestricted);
                    if (IsUnrestricted())
                    {
                        features = Features.All;
                        demand_any = false;
                    }
                }
    
                if (!IsUnrestricted())
                {
                    String __feature = e.Attributes["Feature"] as String;
                    if (__feature != null)
                        features = (Features)Enum.Parse(typeof(Features), __feature, true);
    
                    String __demand_any = e.Attributes["DemandAny"] as String;
                    if (__demand_any != null)
                        demand_any = Boolean.Parse(__demand_any);
                }
            }
    
            public SecurityElement ToXml()
            {
                SecurityElement e = new SecurityElement("IPermission");
                e.AddAttribute("class", GetType().AssemblyQualifiedName.Replace('\"', '\''));
                e.AddAttribute("version", "1");
    
                if (!IsUnrestricted())
                {
                    e.AddAttribute("Feature", features.ToString());
                    e.AddAttribute("DemandAny", demand_any.ToString());
                }
                else
                    e.AddAttribute("Unrestricted", "true");
    
                return e;
            }
            #endregion
        }

    Any ideas to why I can always still access the API method?

    Regards,

    Loftty

    Friday, April 24, 2020 2:58 PM

All replies

  • WebAPI forum is in ASP.NET forums.

    http://forums.asp.net/

    Friday, April 24, 2020 3:14 PM