OperationSecurityScopeProcessor ignores AllowAnonymousAttribute

RicoSuter / NSwag

The Swagger/OpenAPI toolchain for .NET, ASP.NET Core and TypeScript.

http://NSwag.org

MIT License

6.77k stars 1.29k forks source link

OperationSecurityScopeProcessor ignores AllowAnonymousAttribute #1195

Open springy76 opened 6 years ago

springy76 commented 6 years ago

OperationSecurityScopeProcessor currently only looks for AuthorizeAttribute but ignores AllowAnonymousAttribute which is designed to override AuthorizeAttribute when both are declared.

So it is valid to declare AuthorizeAttribute on the entire controller and opt-out on single actions using AllowAnonymousAttribute. It's even valid to declare AuthorizeAttribute on a base controller type and AllowAnonymousAttribute on a derived controller type.

RicoSuter commented 6 years ago

Thanks for reporting. Can you create a PR to support the AllowAnonymousAttribute?

springy76 commented 6 years ago

Looking at the sources more closely I noticed that AuthorizeAttribute is only used for Role retrieval. The security node is applied to every single operation without further checking.