SecurityRequirementsOperationFilter<T> looks for attributes in the method DeclaringType instead of ReflectedType
andrew-yustyk opened this issue · 1 comments
OperationFilterContextExtensions
has an extension method named GetControllerAndActionAttributes
for searching the Authorize
attribute in the controller action and controller class.
But this method uses the DeclaringType
instead of the ReflectedType
property from the method type, i.e. attributes will be searched in the class where the current method is written. This behavior causes an issue with the swagger to auth in the case when we have a base class without auth with a few actions and a derived class with the auth.
public abstract BaseController
{
[HttpGet("[action]")]
public IActionResult SomeBaseAction()
{
return Ok();
}
}
[ApiController]
[Authorize]
public DerivedController : BaseController
{
[HttpGet("[action]")]
public IActionResult SomeDerivedAction()
{
return Ok();
}
}
In this case only SomeDerivedAction
from the derived controller will have authorization while both actions require it
Thanks for the PR :-)
Released https://www.nuget.org/packages/Swashbuckle.AspNetCore.Filters/7.0.7