0

I have ASP.NET web API and I wanted to apply multiple authorization schemes to one controller method. For my use case, I wanted to allow Data() access to all users with /api/AData url but only b_data_user can access /api/BData.

I tried below code and it did not allow to access /api/AData for any user. (users are not in b_data_user)

I understand this is not ideal way and I should split the Data() method and apply two authorization schema for /api/Adata and /api/BData.

[Route("~/api/AData")]
[Route("~/api/BData"), Authorize(Roles = "b_data_user")]
[HttpGet]
public HttpResponseMessage Data([FromBody] object[] parameter)
{
    var method = new Uri(Request.RequestUri.ToString()).LocalPath.Replace("/api/", "").ToUpper();
             
    if(method =="AData")
        //No restriction for AData
        // Some logic to call AData
    else if(method =="BData")
        //Only users from b_data_user can access this functionality
        //Some logic to call BData
}
user781700
  • 626
  • 2
  • 12
  • 21
  • Attributes apply to the method as a whole, not to the attributes they are "grouped" with. Extract the common logic out to a private method and then make two action methods each with different attributes applied that then call the common method – pinkfloydx33 Jan 29 '21 at 21:43
  • 4
    Does this answer your question? [Multiple Authorization attributes on method](https://stackoverflow.com/questions/17272422/multiple-authorization-attributes-on-method) – KillaBytes Jan 30 '21 at 05:04

0 Answers0