Hello
I'm having an issue with adding authentication to my UmbracoApiController for frontend member authentication, and I hope someone in here has any insight into this
Running Umbraco 6.1.4, I have a membergroup whom should be the only ones able to access APImethods. Following (as far as I can tell http://our.umbraco.org/documentation/Reference/WebApi/authorization I setup of controller methods are as shown below
public class CompanyApiController : UmbracoApiController
{
[HttpPost]
[Umbraco.Web.WebApi.MemberAuthorize(AllowGroup = "MemberGroupName")]
public HttpResponseMessage MethodName(SearchModel model)
{
//DO stuff
}
}
My problem is this: Setting AllowGroup and attempting to access the method as a member not part of that group will still fire the method and return as if authenticated.
Using AllowedMembers or AllowedType works fine and denies unauthorized requests but this solution uses MemberGroups/MembershipRoles so using AllowedType is not an option.
Hi Anders why are you having to set permissions on API methods?
Have you ensure that the group name is correct and the member trying to access it is not part of the group (i know you prob have its just easly done) Charllie
This looks like a bug to me having looked at the relevent source code. I've created an issue and noted in the comments the resolution so hopefully that'll get sorted for an upcoming release.
Thanks for the replies, I had indeed made sure the spelling and roleproperties, but some additional testing also pointed us towards it being an actual bug, so we grabbed Andy's solution and it works great :)
Using MemberAuthorize AllowedGroup never denies
Hello I'm having an issue with adding authentication to my UmbracoApiController for frontend member authentication, and I hope someone in here has any insight into this Running Umbraco 6.1.4, I have a membergroup whom should be the only ones able to access APImethods. Following (as far as I can tell http://our.umbraco.org/documentation/Reference/WebApi/authorization I setup of controller methods are as shown below
My problem is this: Setting AllowGroup and attempting to access the method as a member not part of that group will still fire the method and return as if authenticated. Using AllowedMembers or AllowedType works fine and denies unauthorized requests but this solution uses MemberGroups/MembershipRoles so using AllowedType is not an option.
Thanks in advance, Anders
Hi Anders why are you having to set permissions on API methods?
Have you ensure that the group name is correct and the member trying to access it is not part of the group (i know you prob have its just easly done) Charllie
This looks like a bug to me having looked at the relevent source code. I've created an issue and noted in the comments the resolution so hopefully that'll get sorted for an upcoming release.
Andy
Thanks for the replies, I had indeed made sure the spelling and roleproperties, but some additional testing also pointed us towards it being an actual bug, so we grabbed Andy's solution and it works great :)
is working on a reply...