U4-3981 - Make Umbraco.Web.WebApi.Filters.UmbracoApplicationAuthorizeAttribute public

Created by Markus Johansson 07 Jan 2014, 08:11:18 Updated by Shannon Deminick 24 Mar 2014, 04:40:01

Just posted this on the forum: http://our.umbraco.org/forum/umbraco-7/using-umbraco-7/47267-Issue-with-security

I also think that package developers should be able to leverage Umbraco.Web.WebApi.Filters.UmbracoApplicationAuthorizeAttribute or is there any reson to keep it sealed?



Lars-Erik Aabech 19 Mar 2014, 13:38:35

Not to speak of EnsureUserPermissionForContentAttribute and all the others under Umbraco.Web.WebApi.Filters. It's silly to make us have to duplicate all that code to make just as secure extensions to the backoffice. Why wouldn't you want us to make secure extensions?

Shannon Deminick 24 Mar 2014, 04:35:32

@Lars - We don't do these things on purpose to make you write duplicate code or to make insecure extensions :P

Most things are created internally until we know we need to, or want to expose them, and support them as public APIs. The other reason why this has been left internal and sealed is because we need to change the security model eventually - there should be security assigned to trees not sections for various reason. The more public APIs we need to support that will become deprecated or need to change, the more breaking changes there are and the slower things are able to evolve.

I will make these attributes public for 7.1

Priority: Normal

Type: Bug

State: Fixed

Assignee: Shannon Deminick

Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions: 7.0.1

Due in version: 7.1.0


Story Points: