As the title says, it is currently not possible to override the AuthorizeAttribute set on Controllers with an AuthorizeAttribute set on Actions.
While this is in itself not a bug, it is quite an inconvenience. The attribute would be easier to use if you were able to set it on an Action as well as on the Controller. This would pretty much result in a similar usage process as with the AllowAnonymousAttribute, which can in fact override the Controller level AuthorizeAttribute.
Pseudo-code:
```
[Authorize(Roles = "Administrator")]
public class MyController : ApiController
{
//A hundred (exaggerating here) functions that are limited to Administrators thanks to the AuthorizeAttibute on the Controller.
[Authorize(Roles = "User,Administrator")] //FEATURE: Override only this single action to allow users as well. As it stands now, this is never reached due to the AuthorizeAttribute on the Controller.
public MyObject MyMoreAccesibleAction()
{
}
[AllowAnonymous] //AllowAnonymous can already override the AuthorizeAttribute
public MyObejct MyPublicMethod()
{
}
}
```
Comments: It does not seem to work on my end :/ ``` using System.Web.Http; //AuthorizeAttribute, AllowAnonymousAttribute using System.Web.Http.Filters; //OverrideAuthorizationAttribute [Authorize(Roles = "Administrator")] public class MyObjectController : EntitySetController<MyObject, int> { //Works; Admins only public MyObject DoSomethingForAdmins() { } //Doesn't work. Still Admins only. [OverrideAuthorization] [Authorize(Roles = "User,Administrator")] public MyObject GetSomethingForUsersAndAdmins(int key) { } //Works; everyone can access [AllowAnonymous] public MyObject GetSomethingForEveryone(int key) { } } ``` Using packages 5.0.0-rtm-130619 (Prerelease).
While this is in itself not a bug, it is quite an inconvenience. The attribute would be easier to use if you were able to set it on an Action as well as on the Controller. This would pretty much result in a similar usage process as with the AllowAnonymousAttribute, which can in fact override the Controller level AuthorizeAttribute.
Pseudo-code:
```
[Authorize(Roles = "Administrator")]
public class MyController : ApiController
{
//A hundred (exaggerating here) functions that are limited to Administrators thanks to the AuthorizeAttibute on the Controller.
[Authorize(Roles = "User,Administrator")] //FEATURE: Override only this single action to allow users as well. As it stands now, this is never reached due to the AuthorizeAttribute on the Controller.
public MyObject MyMoreAccesibleAction()
{
}
[AllowAnonymous] //AllowAnonymous can already override the AuthorizeAttribute
public MyObejct MyPublicMethod()
{
}
}
```
Comments: It does not seem to work on my end :/ ``` using System.Web.Http; //AuthorizeAttribute, AllowAnonymousAttribute using System.Web.Http.Filters; //OverrideAuthorizationAttribute [Authorize(Roles = "Administrator")] public class MyObjectController : EntitySetController<MyObject, int> { //Works; Admins only public MyObject DoSomethingForAdmins() { } //Doesn't work. Still Admins only. [OverrideAuthorization] [Authorize(Roles = "User,Administrator")] public MyObject GetSomethingForUsersAndAdmins(int key) { } //Works; everyone can access [AllowAnonymous] public MyObject GetSomethingForEveryone(int key) { } } ``` Using packages 5.0.0-rtm-130619 (Prerelease).