PossessesPermissionCodeAttribute

Namespace: ASPSecurityKit.ServiceStack
Assembly: ASPSecurityKit.ServiceStack.dll

Summary

Attribute to indicate that authorization should only check the existence of a permission code and skip entity instance-based check for the associated request. Don’t confuse it with general actions. See remarks for more information.

Remarks

If you use this attribute, authorization calls PossessesPermission and not the regular IsAuthorized. While the latter call insures that the user must have a permission to perform the given action on the specified entity instance, the former only verifies that the user possesses at least a record of that permission, regardless of the entity instance that permission belongs to. For this reason, this feature should only be used with actions that cannot provide entity instance identifier before execution. Examples include listing of records. you should always do the complete check in the endpoint implementation by making a call to IsAuthorized for each record as soon as you get hold of its identifier.

Constructors

#ctor(applyTo)

Summary

Initializes a new instance of the PossessesPermissionCodeAttribute class.

Parameters
Name Type Description
applyTo ServiceStack.ApplyTo Determines to which http method call it applies.