AuthZ Regression: PolicyEvaluator always passes HttpContext for resource #1329

HaoK · 2017-07-20T18:09:55Z

See line: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs#L80

The resource should be taken by IPolicyEvaluator.AuthorizeAsync() and passed into the IAuthorizationService instead of always passing in the HttpContext.

This is a regression from 1.0 in MVC where there's no longer any way to access the AuthorizationFilterContext from a policy requirement. Previously the context.Resource was set to the AuthorizationFilterContext.

Fix is #1328

Eilon · 2017-07-20T23:10:20Z

Approved for 2.0, incl. the MVC and SignalR changes:

HaoK · 2017-07-21T04:20:35Z

869d98e

HaoK self-assigned this Jul 20, 2017

HaoK added breaking-change bug labels Jul 20, 2017

HaoK mentioned this issue Jul 20, 2017

AuthZ PolicyEvalutor should take resource #1330

Merged

Eilon added this to the 2.0.0 milestone Jul 20, 2017

Eilon added 2 - Working and removed breaking-change labels Jul 20, 2017

HaoK added 3 - Done and removed 2 - Working labels Jul 21, 2017

HaoK closed this as completed Jul 21, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AuthZ Regression: PolicyEvaluator always passes HttpContext for resource #1329

AuthZ Regression: PolicyEvaluator always passes HttpContext for resource #1329

HaoK commented Jul 20, 2017 •

edited

Loading

Eilon commented Jul 20, 2017

HaoK commented Jul 21, 2017

AuthZ Regression: PolicyEvaluator always passes HttpContext for resource #1329

AuthZ Regression: PolicyEvaluator always passes HttpContext for resource #1329

Comments

HaoK commented Jul 20, 2017 • edited Loading

Eilon commented Jul 20, 2017

HaoK commented Jul 21, 2017

HaoK commented Jul 20, 2017 •

edited

Loading