SecurityRequirementsOperationFilter<T> looks for attributes in the method DeclaringType instead of ReflectedType

Question

SecurityRequirementsOperationFilter<T> looks for attributes in the method DeclaringType instead of ReflectedType

andrew-yustyk opened this issue a year ago · 1 comments

OperationFilterContextExtensions has an extension method named GetControllerAndActionAttributes for searching the Authorize attribute in the controller action and controller class.
But this method uses the DeclaringType instead of the ReflectedType property from the method type, i.e. attributes will be searched in the class where the current method is written. This behavior causes an issue with the swagger to auth in the case when we have a base class without auth with a few actions and a derived class with the auth.

public abstract BaseController 
{
    [HttpGet("[action]")]
    public IActionResult SomeBaseAction()
    {
        return Ok();
    }
}

[ApiController]
[Authorize]
public DerivedController : BaseController
{
    [HttpGet("[action]")]
    public IActionResult SomeDerivedAction()
    {
        return Ok();
    }
}

In this case only SomeDerivedAction from the derived controller will have authorization while both actions require it

Answer 1 · 2023-07-13T23:16:48.000Z

Thanks for the PR :-)

Released https://www.nuget.org/packages/Swashbuckle.AspNetCore.Filters/7.0.7