Attribute to indicate that authorization should only check the existence of a permission code and skip entity instance-based check for the associated request. Don’t confuse it with general actions. See remarks for more information.
If you use this attribute, authorization calls PossessesPermission and not the regular IsAuthorized. While the latter call insures that the user must have a permission to perform the given action on the specified entity instance, the former only verifies that the user possesses at least a record of that permission, regardless of the entity instance that permission belongs to. For this reason, this feature should only be used with actions that cannot provide entity instance identifier before execution. Examples include listing of records. you should always do the complete check in the endpoint implementation by making a call to IsAuthorized for each record as soon as you get hold of its identifier.
Initializes a new instance of the PossessesPermissionCodeAttribute class.
|applyTo||ServiceStack.ApplyTo||Determines to which http method call it applies.|
Gets whether to perform a direct PossessesPermission rather than attempting to discover potential entityId(s) present in the input action parameters, authorizing each such identifier found, and only perform PossessesPermission if no valid identifier is found.
The default is
false which is recommended.
true to perform a direct PossessesPermission check; otherwise,