In .Net, you can add secure attributes to the controller, then override such attribute in the Action by AllowAnonymous.
In Nop, I have a controller in admin area that uses AdminAuthorizeAttribute, then what is the override attribute for actions that I want to allow non-admin to call?
Search up and down on the net, and in source code. Can't find any clue
AdminAuthorizeAttribute
MVP
- 11325
- 100987
- 5/22/2011
- United States
You could just check using one of the customer extension methods - e.g.
_workContext.CurrentCustomer.IsRegistered()
But, if you want more granular permissions, nopC has its own permissions system. It uses _permissionService.Authorize
e.g. ManufacturerController
public ActionResult List()
{
if (!_permissionService.Authorize(StandardPermissionProvider.ManageManufacturers))
return AccessDeniedView();
To create/use custom permissions, see the built-in Misc.WebServices plugin.
_workContext.CurrentCustomer.IsRegistered()
But, if you want more granular permissions, nopC has its own permissions system. It uses _permissionService.Authorize
e.g. ManufacturerController
public ActionResult List()
{
if (!_permissionService.Authorize(StandardPermissionProvider.ManageManufacturers))
return AccessDeniedView();
To create/use custom permissions, see the built-in Misc.WebServices plugin.
- 208
- 1586
- 10/29/2013
- Australia
Thanks for your reply, but I think I need to make my questions clearer.
In Nop.Admin project, you can find this ProductController.
[AdminAuthorize]
public partial class ProductController : BaseNopController
Because it is partial, I am allowed to write my own partial.
public partial class ProductController : BaseNopController
I have a method
public ActionResult ImportSapXml()
Because my ProductController is partial to the core ProductController , so ImportSapXml() also inherited the [AdminAuthorize].
My question is, what attribute can I add to my ImportSapXml(), so that it won't ask for admin to login?
In Nop.Admin project, you can find this ProductController.
[AdminAuthorize]
public partial class ProductController : BaseNopController
Because it is partial, I am allowed to write my own partial.
public partial class ProductController : BaseNopController
I have a method
public ActionResult ImportSapXml()
Because my ProductController is partial to the core ProductController , so ImportSapXml() also inherited the [AdminAuthorize].
My question is, what attribute can I add to my ImportSapXml(), so that it won't ask for admin to login?
Certified Developer
- 189
- 2395
- 2/9/2013
- United States
I know this thread is a few years old, but as it happens, I just had to accomplish this a few moments ago. I did a quick scan on the forums and not much else besides this thread was popping up.
In my case (3.8), it was the Download Controller that a client needed to make the DownloadFile anonymous.
Similar to the ProductController higher up in this thread, in 3.8 + I have the following;
Looking at the ootb classes, we have;
public partial class DownloadController : BaseAdminController
And BaseAdminController has the following class level attributes;
[NopHttpsRequirement(SslRequirement.Yes)]
[AdminValidateIpAddress]
[AdminAuthorize]
[AdminAntiForgery]
[AdminVendorValidation]
Now, the goal was to Allow Anonymous for DownloadFile method within the controller but not override anything else.
Essentially, for Registered users, they needed to download a pdf from www.blah.com/Admin/Download/DownloadFile?downloadGuid=guid
Adding [AllowAnonymous] attribute to the function was not enough. I had to add OverrideAuthorization as well.
So to answer the original question in this thread... do something like the following;
[OverrideAuthorization]
[AllowAnonymous]
public ActionResult DownloadFile(Guid downloadGuid)
{
...
This will allow a user who has no role that has "allow admin access" acl associated to it, to successfully make a function call within an admin controller.
Thanks
In my case (3.8), it was the Download Controller that a client needed to make the DownloadFile anonymous.
Similar to the ProductController higher up in this thread, in 3.8 + I have the following;
Looking at the ootb classes, we have;
public partial class DownloadController : BaseAdminController
And BaseAdminController has the following class level attributes;
[NopHttpsRequirement(SslRequirement.Yes)]
[AdminValidateIpAddress]
[AdminAuthorize]
[AdminAntiForgery]
[AdminVendorValidation]
Now, the goal was to Allow Anonymous for DownloadFile method within the controller but not override anything else.
Essentially, for Registered users, they needed to download a pdf from www.blah.com/Admin/Download/DownloadFile?downloadGuid=guid
Adding [AllowAnonymous] attribute to the function was not enough. I had to add OverrideAuthorization as well.
So to answer the original question in this thread... do something like the following;
[OverrideAuthorization]
[AllowAnonymous]
public ActionResult DownloadFile(Guid downloadGuid)
{
...
This will allow a user who has no role that has "allow admin access" acl associated to it, to successfully make a function call within an admin controller.
Thanks