ASP.Net Web Api Help page based on authorization

Question

I'm using the ASP.Net Web API behind Windows Authentication and using the [Authorize] attribute to dictate what controllers and functions users have access to. This works great. The problem is that I would like to have the help area reflect only what the user has been granted for access. Curious if anyone has achieved this in some fashion. Is this done at the level of the controller, the App Start, or the help controller.

Thanks in advance...

Code snippet of one of my controllers

[Authorize]
public class TaktTimeController : ApiController
{
    private BIDataContainer db = new BIDataContainer();

    // GET api/TaktTime
    [Authorize(Roles="Admins")]
    public IQueryable<TaktTime> GetTaktTimes()
    {
        return db.TaktTimes;
    }

    // GET api/TaktTime/5
    [ResponseType(typeof(TaktTime))]
    [Authorize(Roles = "Admins")]
    public IHttpActionResult GetTaktTime(string id)
    {
        TaktTime takttime = db.TaktTimes.Find(id);
        if (takttime == null)
        {
            return NotFound();
        }

        return Ok(takttime);
    }

Answer 1

You will need to modify HelpController.cs and add the following method:

using System.Collections.ObjectModel;

private Collection<ApiDescription> FilteredDescriptions()
{
    var descriptionsToShow = new Collection<ApiDescription>();

    foreach (var apiDescription in Configuration.Services.GetApiExplorer().ApiDescriptions)
    {
        var actionDescriptor = apiDescription.ActionDescriptor as ReflectedHttpActionDescriptor;
        var authAttribute = actionDescriptor?.MethodInfo.CustomAttributes.FirstOrDefault(x => x.AttributeType.Name == nameof(System.Web.Http.AuthorizeAttribute));
        var roleArgument = authAttribute?.NamedArguments?.FirstOrDefault(x => x.MemberName == nameof(System.Web.Http.AuthorizeAttribute.Roles));
        var roles = roleArgument?.TypedValue.Value as string;
        if (roles?.Split(',').Any(role => User.IsInRole(role.Trim())) ?? false)
        {
            descriptionsToShow.Add(apiDescription);
        }
    }
    return descriptionsToShow;
}

And call it from the Index() action:

return View(FilteredDescriptions());

Answer 2

This can be achieved in razor view something like the following would be what you need.

 @if (User.IsInRole("admin"))
 {
     <div>
         <!--Text for admin here-->
     </div>
 }
 @if (User.IsInRole("user"))
 {
     <div>
         <!--Text for user here-->
     </div>
 }

The same logic can be used in WebApi controllers

public string Get()
{
    if(User.IsInRole("admin"))
    {
        return "Text for admin";
    }

    if(User.IsInRole("user"))
    {
        return "Text for user";
    }
}

Answer 3

Building upon Stanislav's approach, I have added support for AllowAnonymous , username-based authorization, controller attributes and global authorization filters.

public ActionResult Index()
{
    ViewBag.DocumentationProvider = Configuration.Services.GetDocumentationProvider();
    //return View(Configuration.Services.GetApiExplorer().ApiDescriptions);
    return View(FilteredDescriptions());
}

private Collection<ApiDescription> FilteredDescriptions()
{
    var list = Configuration.Services.GetApiExplorer().ApiDescriptions
        .Where(apiDescription =>
        {
            // action attributes
            if (apiDescription.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Count != 0)
            {
                return true;
            }

            var actionAuthorizeAttributes = apiDescription.ActionDescriptor.GetCustomAttributes<AuthorizeAttribute>();

            if (actionAuthorizeAttributes.Count != 0)
            {
                return actionAuthorizeAttributes.All(IsUserAuthorized);
            }

            // controller attributes
            if (apiDescription.ActionDescriptor.ControllerDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Count != 0)
            {
                return true;
            }

            var controllerAuthorizeAttributes = apiDescription.ActionDescriptor.ControllerDescriptor.GetCustomAttributes<AuthorizeAttribute>();

            if (controllerAuthorizeAttributes.Count != 0)
            {
                return controllerAuthorizeAttributes.All(IsUserAuthorized);
            }

            // global attributes
            if (apiDescription.ActionDescriptor.Configuration.Filters.OfType<AllowAnonymousAttribute>().Any())
            {
                return true;
            }

            var globalAuthorizeAttributes = apiDescription.ActionDescriptor.Configuration.Filters.OfType<AuthorizeAttribute>().ToList();

            if (globalAuthorizeAttributes.Count != 0)
            {
                return globalAuthorizeAttributes.All(IsUserAuthorized);
            }

            return true;
        })
        .ToList();

    return new Collection<ApiDescription>(list);
}

private bool IsUserAuthorized(AuthorizeAttribute authorizeAttribute)
{
    return User.Identity.IsAuthenticated
        && (authorizeAttribute.Roles == "" || authorizeAttribute.Roles.Split(',').Any(role => User.IsInRole(role.Trim())))
        && (authorizeAttribute.Users == "" || authorizeAttribute.Users.Split(',').Any(user => User.Identity.Name == user));
}