RequiresAnyRole combined with RoleNames.Admin

tobi · August 6, 2015, 9:27am

Hi Demis,
we are using the RoleNames.Admin for a “root” user which passes all auth checks. While it is working in the RequiredRoleAttribute, it doesn’t with RequiresAnyRole.

In the RequiredRoleAttribute i can find:

            if (session != null && session.HasRole(RoleNames.Admin))
                return;

but there is nothing in the RequiresAnyRoleAttribute.Execute() method. Is that by design or just forgotten?

At least in my understanding, the RequiresAnyRoleAttribute.Execute() should return true if the user is in the RoleNames.Admin.

Regards
Tobi

Edit: Same with RequiresAnyPermissionAttribute.Execute

mythz · August 6, 2015, 2:59pm

Hi, yeah this was just an omission, added in this commit.

This change is available from v4.0.43+ that’s now available on MyGet.

Also in-case you’re not aware of it, you can also use the authsecret support by setting Config.AdminAuthSecret which enables by-passing any restrictions without having to login by ?authsecret=... to the querystring.

tobi · August 7, 2015, 7:00am

We are aware of the AdminAuth Secret and using it for dev purposes.

Thank you for the fast response!