Custom authorise attribute not overriding/combining on specific actions

Question

I have created a custom authorise attribute to allow for some custom checks to determine access throughout my application.

When applying the custom auth attribute at a controller level and then trying to add additional access to a specific action, the roles are not applying in an 'additive' way.

Custom authorise attribute:

// Allow multiple = true so should roll all occurrences in a request into one
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class CustomAuthoriseAttribute : AuthorizeAttribute
{
    public CustomAuthoriseAttribute(params string[] roles)
    {
        this.Roles = string.Join(",", roles);
    }

    /// <summary>
    /// Custom routines to determine if a request is considered authorised.
    /// </summary>
    /// <param name="httpContext"></param>
    /// <returns></returns>
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null)
        {
            throw new ArgumentNullException("httpContext");
        }

        var userManager = httpContext.GetOwinContext().GetUserManager<UserManager>();

        var user = userManager.FindById(httpContext.User.Identity.GetUserId());

        if (user == null)
        {
            return false;
        }

        // Log the user out as they should not be allowed access
        if (user.IsDisabled || user.IsDeleted)
        {
            httpContext.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
            httpContext.Session.Clear();

            return false;
        }

        return base.AuthorizeCore(httpContext);
    }
}

Usage in controller:

Seems to be hitting the the auth checks for SuperAdmin and Admin, and then hitting a check for Consultant on its own which is causing unauthorised request. Why are they not being treated altogether?

[CustomAuthorise(SuperAdministrator, Administrator)]
public class SomeController : Controller
{
    public const string SuperAdministrator = "SuperAdministrator";
    public const string Administrator = "Administrator";
    public const string Consultant = "Consultant";

    // Should only accessible by SuperAdministrators and Administrators
    [HttpGet]
    public ActionResult Index()
    {
        return View();
    }

    // Should be accessible by SuperAdministrators, Administrators and Consultants
    [HttpGet]
    [CustomAuthorise(Consultant)]
    public ActionResult SomeAction()
    {
        return View();
    }
}

Answer 1

Multiple authorize attributes are handled using a logical AND. The result of each attribute is AND'd with the previous. In this scenario, SomeAction would only be accessible by someone who is a super admin or admin (based on the controller level attribute) AND they are a consultant (based on the action level attribute).

There are a few different ways to do this but I would advise against granting access to the consultants at the controller level as you'd be blending privileged accounts (super admin and admin) with restricted accounts (consultant).

I would create a new controller that is accessible by all three roles and move this action there. Then you can leave your privileged methods in the original controller.

[CustomAuthorise(SuperAdministrator, Administrator)]
public class PrivilegedController : Controller
{

    // Should only accessible by SuperAdministrators and Administrators
    [HttpGet]
    public ActionResult Index()
    {
        return View();
    }

}

[CustomAuthorise(SuperAdministrator, Administrator, Consultant)]
public class LessPrivilegedController : Controller
{

    [HttpGet]
    public ActionResult SomeAction()
    {
        return View();
    }
}