Skip to content
This repository

RequireRole does not apply to base controller actions #14

Closed
ilizunov opened this Issue · 4 comments

3 participants

Igor Lizunov Kristoffer Ahl AlexanderKot
Igor Lizunov

BaseControllerr:

public abstract class SimpleCrudController : Controller 
{
    [HttpGet]
    public virtual ActionResult Update(string id)
    {
        //...
    }
}

Descendant controller:

public class ManufacturerController : SimpleCrudController
{
}

Security:

configuration.For<ManufacturerController>().RequireRole(Roles.Admin);

Test:

expectations
    .Expect<ManufacturerController>(x => x.Update(null))
    .HasRole(Roles.Admin);

Test result:

Expected a configuration for controller "Broxer.Web.Controllers.ManufacturerController", action "Update". Policycontainer could not be found!
Kristoffer Ahl

Currently FluentSecurity does not have support for abstract/base controllers but I will be looking to fix this for the upcoming 2.0 version. No release date has been set for it but it will be sometime before the beginning of May if all goes according to plan. If you provide a pull-request for it I could possible include it in a 1.5 release so let me know and I'll point you in the right direction.

This issue is closely related to issue 11. You can have a look there and see if what I suggested there will solve your issue.
#11

AlexanderKot

It seems that change
Extensions
///
/// Gets actionmethods for the specified controller type
///
public static IEnumerable GetActionMethods(this Type controllerType)
{
return controllerType
.GetMethods(
BindingFlags.Public |
BindingFlags.Instance |
//BindingFlags.DeclaredOnly |
BindingFlags.FlattenHierarchy
)
.Where(x => typeof(ActionResult).IsAssignableFrom(x.ReturnType))
.AsEnumerable();
}

Is enough for fixing this issues
After that all tests are executed & methods from hierarchy are taken in account
(i have checked this in my project for hierarchy of generic controllers with last concrete type,
with parallel hierarchy of generic SecurityConfigurer classes , each of them configure corresponding controller)

Do somebody see possible side-effects from such change?
Analyze or not base classes can be not hardcoded, but declared in corresponding For<>(...) methods family

Kristoffer Ahl
Owner

Awsome! Haven't tried it but you might be on to something. I'll look into this before the final release of 2.0. Might not make it into the next alpha though. Have bigger issues to tackle before this.

Kristoffer Ahl kristofferahl closed this issue from a commit
Kristoffer Ahl Merge branch 'feature-base-controllers' into develop
Closes #11
Closes #14
Closes #34
Closes #35
Closes #41
a314657
Kristoffer Ahl

There's now a fix for this issue. I just uploaded a new alpha version to nuget.

NuGet: https://nuget.org/packages/FluentSecurity/2.0.0-alpha2
Documentation (temporary): https://github.com/kristofferahl/FluentSecurity/wiki/Securing-controllers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.