PossessesPermissionCodeAttribute

Namespace: ASPSecurityKit.ServiceStack
Assembly: ASPSecurityKit.ServiceStack.dll

Summary

Attribute to indicate that authorization should only check the existence of a permission code and skip entity instance-based check for the associated request. Don’t confuse it with general actions. See remarks for more information.

Remarks

If you use this attribute, authorization calls PossessesPermission and not the regular IsAuthorized. While the latter call insures that the user must have a permission to perform the given action on the specified entity instance, the former only verifies that the user possesses at least a record of that permission, regardless of the entity instance that permission belongs to. For this reason, this feature should only be used with actions that cannot provide entity instance identifier before execution. Examples include listing of records. you should always do the complete check in the endpoint implementation by making a call to IsAuthorized for each record as soon as you get hold of its identifier.

Constructors

#ctor(applyTo)

Summary

Initializes a new instance of the PossessesPermissionCodeAttribute class.

Parameters
Name Type Description
applyTo ServiceStack.ApplyTo Determines to which http method call it applies.

Properties

IgnoreEntityIdLookup

Summary

Gets whether to perform a direct PossessesPermission rather than attempting to discover potential entityId(s) present in the input action parameters, authorizing each such identifier found, and only perform PossessesPermission if no valid identifier is found. The default is false which is recommended.

Value

true to perform a direct PossessesPermission check; otherwise, false.