Open springy76 opened 6 years ago
Thanks for reporting. Can you create a PR to support the AllowAnonymousAttribute?
Looking at the sources more closely I noticed that AuthorizeAttribute is only used for Role retrieval. The security node is applied to every single operation without further checking.
OperationSecurityScopeProcessor
currently only looks forAuthorizeAttribute
but ignoresAllowAnonymousAttribute
which is designed to overrideAuthorizeAttribute
when both are declared.So it is valid to declare
AuthorizeAttribute
on the entire controller and opt-out on single actions usingAllowAnonymousAttribute
. It's even valid to declareAuthorizeAttribute
on a base controller type andAllowAnonymousAttribute
on a derived controller type.