Web Api - Authorization on a per-user basis using annotations

Question

is it possible to achieve a user-based authorization procedure using an annotation? I'm building a REST Api and I would like users to only be access items that belong to them. This is achieved by looking at the transmitted AccessToken which contains a user's id, from where I can tell if a user is authorized to view the requested content or not.

In order to avoid a static authorization procedure inside each Controller.Method() I would very much like to just use an AuthorizationAttribute like this:

[RestrictAccess(Access.ADMIN, Access.OWNER)]
public SensitiveData GetSensitiveData(Guid userId) {

     return Repository.GetSensitiveData(userId);

}

For example, this method should only be allowed to be called by all users with AccessRole ADMIN and the OWNER of the requested item.

Essentially I am looking for a way to use the Controller's parameters at run time inside my AuthorizationAttribute. Is this possible?

Thank you!

score 0 · Answer 1 · answered Nov 05 '12 at 15:14

0

I've found the solution:

using System.Web.Http.Filters;
public class Restriction : ActionFilterAttribute {

    public override void OnActionExecuting(HttpActionContext actionContext) {

        // holds a dictionary of arguments passed to annotated Controller.
        var arguments = actionContext.ActionArguments; 

        base.OnActionExecuting

    }

}

answered Nov 05 '12 at 15:14

doque

2,723
6
27
44

Does this work for you? My ActionArguments isn't getting a copy of the parameters I'm passing into the Controller.... – mikebridge Feb 06 '13 at 18:01

Web Api - Authorization on a per-user basis using annotations

1 Answers1