Umbraco Api - Authorization
How to secure your Umbraco Api controllers
This section will describe how to secure your Umbraco Api controllers based on a users membership
Authorizing for the backoffice
Inheriting from UmbracoAuthorizedApiController
Probably the easiest way to ensure your controller is secured for only backoffice users is to inherit from Umbraco.Cms.Web.BackOffice.Controllers.UmbracoAuthorizedApiController
. This is essentially the same as applying [Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
to your controller (see below).
The UmbracoAuthorizedApiController
is automatically routed. Check out the routing documentation for more information on this topic.
Using the Authorize attribute
To secure your controller based on backoffice membership use the attribute: Microsoft.AspNetCore.Authorization.Authorize
, with the policy parameter set to AuthorizationPolicies.BackOfficeAccess
, like so: [Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
.
This attribute will ensure that a valid backoffice user is logged in. It is important to know that this only works if the controller is routed to /umbraco/backoffice/*
.
Example:
This will only allow a logged in backoffice user to access the GetProduct
action:
The AuthorizationPolicies
has a series of other options you can set. An example is UserBelongsToUserGroupInRequest
. By using this policy, you can check if the current incoming request of the user is in a specific backoffice User Group.
Example:
This will only allow a logged-in backoffice user that has access to the SensitiveData User Group to access the GetProduct
action:
Adding custom policies
You can add custom policies so you can set up your own requirements. You can do this by adding a new Policy to your builder:
Example:
After configuring, you can now use the Authorize
attribute with the name of your policy:
Using MemberAuthorizeAttribute
To secure your controller based on front-end membership use the attribute: Umbraco.Cms.Web.Common.Filters.UmbracoMemberAuthorize
.
There are 3 parameters that can be supplied to control how the authorization works:
To allow all members, use the attribute without supplying any parameters.
You can apply these attributes at the controller level or at the action level.
Examples:
This will only allow logged in members of type "Retailers" to access the GetAllProducts
action:
This will only allow member's belonging to the group VIP to access any actions on the controller:
This will only allow member's with Ids 1, 10 and 20 to access any actions on the controller:
Last updated