Hi all, is there a way to restric access to:
Plugins.Add(new RegistrationFeature());
only for a specific role?
Thank you!
If users haven’t registered yet how could you restrict them to a role (i.e. that they need to be registered to have)?
Anyway the implementation for RegisterService is here you can take the functionality you want and use IAuthRepository directly in your own custom service or use a Request Filter to add custom logic to check for the Register Request DTO and short-circuit the Request if a request shouldn’t have access.
Thank you Demis!
…I create a dummy “SuperAdministrator” user at the beginning just after the InitSchema() that will have the role to Register new users…
I had the same problem and solved it by copying the RegisterService from SS and put a [RequiredPermission(“admin”)] on the register request. It worked fine. I also create a superuser, if none exist, at application startup.
In my case the users do not have a will of their own, since they are machines and other services. So I found it most logical that only a admin can register and unregister users/units. It’s important that only known users/units can connect to the web service. Or is there some better alternative way to do this?
You could dynamically register the attribute, e.g:
typeof(RegisterService)
.AddAttributes(new RequiredRoleAttribute("Admin"));
new AppHost().Init();
Note Services are registered and auto-wired before Configure() is called so the attribute needs to be added before.
Or you could a register a Request Filter that makes sure the User has the Admin Role, e.g:
GlobalRequestFilters.Add((req,res,dto) => {
if (dto is Register && !session.HasRole("Admin")) {
res.StatusCode = (int)HttpStatusCode.Forbidden;
res.StatusDescription = "Requires Admin Role";
res.EndRequest();
}
});
You should also look at AuthSecret support in ServiceStack which lets you access restricted Services without needing to authenticate by adding a hidden ?authsecret=xxx to the request.
2 Likes