Closed bkuczenski closed 9 years ago
bkuczenski
commented
9 years ago Note: cannot implement Authorization at the attribute level because (1) determining authorization under the current scheme requires access to the repository, and (2) constructor dependency injection is not supported for attributes: http://stackoverflow.com/questions/5572257/custom-authorization-mvc-3-and-ninject-ioc/5572752#5572752 It appears that there is a possible work around but I do not understand it.
bkuczenski
commented
9 years ago Update: authorization is implemented via Attribute: Attribute code is used to set an additional route parameter, which is then interpreted in the resource controller (with repository access).
bkuczenski
commented
9 years ago Note: this new scheme needs to be cleaned up a bit because the controller actions do not handle HTTP error codes. but it works. try the following: http://localhost:60393/api/scenarios/4 http://localhost:60393/api/scenarios/4?auth=2514bc8
uo-lca
commented
9 years ago Unit tests that used to pass are now failing. Until now, 5 test passed and 3 failed. Now, only 2 pass and 6 fail. I have not inspected the test results, just guessing that the tests need to change in order to be compatible with auth changes.
bkuczenski
commented
9 years ago I think the remaining issue here is adequately covered by #109 + #129.
Add a customized AuthorizeAttribute to controller routes that require authorization. Pull out an authentication token from (either the URL parameter named "auth" or the HTTP Authentication header) Get the ScenarioID from the route Check to see if the authentication token allows access to the requested scenarioId