PossessesPermissionCodeAttribute
Members
Namespace: ASPSecurityKit.ServiceStack
Assembly: ASPSecurityKit.ServiceStack.dll
Summary
Attribute to indicate that authorization should only check the existence of a permission code and skip entity instance-based check for the associated request. Don’t confuse it with general actions. See remarks for more information.
Remarks
If you use this attribute, authorization calls PossessesPermission and not the regular IsAuthorized. While the latter call insures that the user must have a permission to perform the given action on the specified entity instance, the former only verifies that the user possesses at least a record of that permission, regardless of the entity instance that permission belongs to. For this reason, this feature should only be used with actions that cannot provide entity instance identifier before execution. Examples include listing of records. you should always do the complete check in the endpoint implementation by making a call to IsAuthorized for each record as soon as you get hold of its identifier.
Constructors
#ctor(applyTo)
Summary
Initializes a new instance of the PossessesPermissionCodeAttribute class.
Parameters
Name | Type | Description |
---|---|---|
applyTo | ServiceStack.ApplyTo | Determines to which http method call it applies. |
Properties
IgnoreEntityIdLookup
Summary
Gets whether to perform a direct PossessesPermission rather than attempting to discover potential entityId(s) present in the input action parameters, authorizing each such identifier found, and only perform PossessesPermission if no valid identifier is found.
The default is false
which is recommended.
Value
true
to perform a direct PossessesPermission check; otherwise, false
.