AdminAuthorizeAttribute

7 лет назад
In .Net, you can add secure attributes to the controller, then override such attribute in the Action by AllowAnonymous.


In Nop, I have a controller in admin area that uses AdminAuthorizeAttribute, then what is the override attribute for actions that I want to allow non-admin to call?

Search up and down on the net, and in source code. Can't find any clue
7 лет назад
You could just check using one of the customer extension methods - e.g.
_workContext.CurrentCustomer.IsRegistered()

But, if you want more granular permissions, nopC has its own permissions system.  It uses _permissionService.Authorize

e.g. ManufacturerController
        public ActionResult List()
        {
            if (!_permissionService.Authorize(StandardPermissionProvider.ManageManufacturers))
                return AccessDeniedView();

To create/use custom permissions, see the built-in Misc.WebServices plugin.
7 лет назад
Thanks for your reply, but I think I need to make my questions clearer.

In Nop.Admin project, you can find this ProductController.

[AdminAuthorize]
public partial class ProductController : BaseNopController



Because it is partial, I am allowed to write my own partial.

public partial class ProductController : BaseNopController

I have a method

public ActionResult ImportSapXml()


Because my ProductController is partial to the core ProductController , so ImportSapXml() also inherited the [AdminAuthorize].


My question is, what attribute can I add to my ImportSapXml(), so that it won't ask for admin to login?
3 года назад
I know this thread is a few years old, but as it happens, I just had to accomplish this a few moments ago. I did a quick scan on the forums and not much else besides this thread was popping up.

In my case (3.8), it was the Download Controller that a client needed to make the DownloadFile anonymous.

Similar to the ProductController higher up in this thread, in 3.8 + I have the following;

Looking at the ootb classes, we have;

public partial class DownloadController : BaseAdminController

And BaseAdminController has the following class level attributes;
[NopHttpsRequirement(SslRequirement.Yes)]
    [AdminValidateIpAddress]
    [AdminAuthorize]
    [AdminAntiForgery]
    [AdminVendorValidation]


Now, the goal was to Allow Anonymous for DownloadFile method within the controller but not override anything else.
Essentially, for Registered users, they needed to download a pdf from www.blah.com/Admin/Download/DownloadFile?downloadGuid=guid

Adding [AllowAnonymous] attribute to the function was not enough.  I had to add OverrideAuthorization as well.

So to answer the original question in this thread... do something like the following;

[OverrideAuthorization]
[AllowAnonymous]
public ActionResult DownloadFile(Guid downloadGuid)
{
...

This will allow a user who has no role that has "allow admin access" acl associated to it, to successfully make a function call within an admin controller.

Thanks
один месяц назад
HI, I hope you still hang out around here!

What is the namespace of the OverrideAuthorization attribute?  I cannot find it so I can add it to my controller to allow anonymous calling of a method in a plugin.