Closed halter73 closed 4 days ago
AllowAnonymous
in the same place as the Authorize
to be explicitAllowAnonymous
Analyzer approved!
The analyzer was added by #56244 and https://aka.ms/aspnetcore-warnings/ASP0026 now points to https://learn.microsoft.com/aspnet/core/diagnostics/ASP0026.
Background and Motivation
A lot of people don't realize that the relative order of
[Authorize]
and[AllowAnonymous]
does not matter, and incorrectly assume that if they put[Authorize]
"closer" to an MVC action than[AllowAnonymous]
, that it will still force authorization. The following code shows examples of where a closer[Authorize]
attribute gets overridden by an[AllowAnonymous]
attribute that is further away.Proposed Analyzer
Title
Message
And then https://aka.ms/aspnetcore-warnings/ASP0026 would point to documentation explaining.
Category
Severity Level
Risks
This could have some false positives where
[Authorize]
and[AllowAnonymous]
were intended to be used together like when specifying an authentication scheme (e.g.[Authorize(AuthenticationSchemes = “Cookies”)]
). No analyzer can catch every accidental application of[AllowAnonymous]
, but false positives and negatives can be mitigated by making the analyzer more or less conservative as need be.