As the title says, it is currently not possible to override the AuthorizeAttribute set on Controllers with an AuthorizeAttribute set on Actions.
While this is in itself not a bug, it is quite an inconvenience. The attribute would be easier to use if you were able to set it on an Action as well as on the Controller. This would pretty much result in a similar usage process as with the AllowAnonymousAttribute, which can in fact override the Controller level AuthorizeAttribute.
Pseudo-code:
```
[Authorize(Roles = "Administrator")]
public class MyController : ApiController
{
//A hundred (exaggerating here) functions that are limited to Administrators thanks to the AuthorizeAttibute on the Controller.
[Authorize(Roles = "User,Administrator")] //FEATURE: Override only this single action to allow users as well. As it stands now, this is never reached due to the AuthorizeAttribute on the Controller.
public MyObject MyMoreAccesibleAction()
{
}
[AllowAnonymous] //AllowAnonymous can already override the AuthorizeAttribute
public MyObejct MyPublicMethod()
{
}
}
```
Comments: Ok I quickly wrote a custom Authorize attribute that can allow you to use the AuthorizeAttribute on Actions for those who are interested. ``` using System; using System.Linq; using System.Web.Http; using System.Web.Http.Controllers; [AttributeUsage(AttributeTargets.Class, Inherited = true, AllowMultiple = true)] public class OverridableAuthorizeAttribute : AuthorizeAttribute { public override void OnAuthorization(HttpActionContext actionContext) { if (actionContext.ActionDescriptor.GetCustomAttributes<AuthorizeAttribute>().Any()) { return; } base.OnAuthorization(actionContext); } } ```
While this is in itself not a bug, it is quite an inconvenience. The attribute would be easier to use if you were able to set it on an Action as well as on the Controller. This would pretty much result in a similar usage process as with the AllowAnonymousAttribute, which can in fact override the Controller level AuthorizeAttribute.
Pseudo-code:
```
[Authorize(Roles = "Administrator")]
public class MyController : ApiController
{
//A hundred (exaggerating here) functions that are limited to Administrators thanks to the AuthorizeAttibute on the Controller.
[Authorize(Roles = "User,Administrator")] //FEATURE: Override only this single action to allow users as well. As it stands now, this is never reached due to the AuthorizeAttribute on the Controller.
public MyObject MyMoreAccesibleAction()
{
}
[AllowAnonymous] //AllowAnonymous can already override the AuthorizeAttribute
public MyObejct MyPublicMethod()
{
}
}
```
Comments: Ok I quickly wrote a custom Authorize attribute that can allow you to use the AuthorizeAttribute on Actions for those who are interested. ``` using System; using System.Linq; using System.Web.Http; using System.Web.Http.Controllers; [AttributeUsage(AttributeTargets.Class, Inherited = true, AllowMultiple = true)] public class OverridableAuthorizeAttribute : AuthorizeAttribute { public override void OnAuthorization(HttpActionContext actionContext) { if (actionContext.ActionDescriptor.GetCustomAttributes<AuthorizeAttribute>().Any()) { return; } base.OnAuthorization(actionContext); } } ```