Asked by:
Web API Route and Permission Attribute

Question
-
Hi,
I want to be able to stop being able access a web api method from a given feature. So if they don't have the reporting feature, you won't be able to call it. My code that I have so far is:
API Method:
[HttpGet] [Route("getallreports")] [PermissionSet(SecurityAction.Demand, Name = "FullTrust")] [FeaturePermission(SecurityAction.Demand, Feature = Features.Reporting, DemandAny = true)] public string GetAllReports() { var data = dataarm.GetReports(); }
Feature Permission Attribute Class:
[Serializable, AttributeUsage(AttributeTargets.Method | AttributeTargets.Constructor | AttributeTargets.Struct | AttributeTargets.Method | AttributeTargets.Assembly, AllowMultiple = false, Inherited = false)] public sealed class FeaturePermissionAttribute : CodeAccessSecurityAttribute { private Features feature; private bool demandany; public Features Feature { get { return feature; } set { feature = value; } } public Boolean DemandAny { get { return demandany; } set { demandany = value; } } public FeaturePermissionAttribute(SecurityAction action) : base(action) { } public override IPermission CreatePermission() { if (Unrestricted) return new FeaturePermission(PermissionState.Unrestricted); else return new FeaturePermission(feature, demandany); } }
Feature Permission Class:
public class FeaturePermission : IPermission, IUnrestrictedPermission { private Features features = Features.None; private bool demand_any = false; private bool unrestricted = true; DataArm data_arm = new DataArm(); public Features Feature { get { return features; } } public bool DemandAny { get { return demand_any; } } public FeaturePermission(bool unrestricted) { if (unrestricted) { this.features = Features.All; this.demand_any = false; this.unrestricted = true; } else { this.features = Features.None; this.demand_any = false; } } public FeaturePermission(Features features) : this(features, false) { } public FeaturePermission(Features features, bool demandany) { this.features = features; this.demand_any = demandany; } public FeaturePermission(PermissionState state) { if (state == PermissionState.Unrestricted) { this.features = Features.All; this.demand_any = false; this.unrestricted = true; } else { this.features = Features.None; this.demand_any = false; } } public Boolean TryDemand() { if (IsUnrestricted()) return true; var settings = data_arm.GetSettings(false); if (settings.License == null || !settings.License.HasFeature(features, demand_any)) return false; else return true; } #region IPermission Members public IPermission Copy() { if (unrestricted) return new FeaturePermission(true); else return new FeaturePermission(features, demand_any); } public IPermission Intersect(IPermission target) { if (target == null) return null; FeaturePermission permission = target as FeaturePermission; if (permission == null) throw new ArgumentException("Cannot cast target permission type.", "target"); if (IsUnrestricted() && permission.IsUnrestricted()) return new FeaturePermission(true); return new FeaturePermission(features & permission.features, demand_any & permission.demand_any); } public Boolean IsSubsetOf(IPermission target) { if (target == null) return (features == Features.None); FeaturePermission permission = target as FeaturePermission; if (permission == null) throw new ArgumentException("Cannot cast target permission type.", "target"); return ((features & ~permission.features) == Features.None); } public IPermission Union(IPermission target) { if (target == null) return Copy(); FeaturePermission permission = target as FeaturePermission; if (permission == null) throw new ArgumentException("Cannot cast target permission type.", "target"); if (IsUnrestricted() || permission.IsUnrestricted()) return new FeaturePermission(true); return new FeaturePermission(features | permission.features, demand_any | permission.demand_any); } public void Demand() { if (!TryDemand()) throw new LicenseConstraintException(); } #endregion #region IUnrestrictedPermission Members public Boolean IsUnrestricted() { return unrestricted; } #endregion #region ISecurityEncodable Members public void FromXml(SecurityElement e) { String __unrestricted = e.Attributes["Unrestricted"] as String; if (__unrestricted != null) { unrestricted = Convert.ToBoolean(__unrestricted); if (IsUnrestricted()) { features = Features.All; demand_any = false; } } if (!IsUnrestricted()) { String __feature = e.Attributes["Feature"] as String; if (__feature != null) features = (Features)Enum.Parse(typeof(Features), __feature, true); String __demand_any = e.Attributes["DemandAny"] as String; if (__demand_any != null) demand_any = Boolean.Parse(__demand_any); } } public SecurityElement ToXml() { SecurityElement e = new SecurityElement("IPermission"); e.AddAttribute("class", GetType().AssemblyQualifiedName.Replace('\"', '\'')); e.AddAttribute("version", "1"); if (!IsUnrestricted()) { e.AddAttribute("Feature", features.ToString()); e.AddAttribute("DemandAny", demand_any.ToString()); } else e.AddAttribute("Unrestricted", "true"); return e; } #endregion }
Any ideas to why I can always still access the API method?
Regards,
Loftty
- Moved by Jack J JunMicrosoft contingent staff Monday, April 27, 2020 5:20 AM
Friday, April 24, 2020 2:58 PM
All replies
-
WebAPI forum is in ASP.NET forums.
http://forums.asp.net/
Friday, April 24, 2020 3:14 PM