Can not have [Authorize()] with dynamic code inside

Question

I am trying to make authorize accept roles either as enum or smart enum so that I don't have to debug magic strings and their typos

but I keep hitting a dead end with these two errors:

Attribute constructor parameter 'roles' has type 'Role[]', which is not a valid attribute parameter type

An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type

here is my code:

AuthorizeRoles.cs

public class AuthorizeRoles : AuthorizeAttribute
{
    public AuthorizeRoles(params Role[] roles)
    {
        string allowed = string.Join(", ", roles.ToList().Select(x => x.Name));
        Roles = allowed;
    }
}

Role.cs

public class Role
{
    public readonly string Name;

    public enum MyEnum  // added
    {
        Admin,
        Manager
    }

    public static readonly Role Admin = new Role("Admin");
    public static readonly Role Manager = new Role("Manager");

    public Role(string name)
    {
        Name = name;
    }

    public override string ToString()
    {
        return Name;
    }

and inside my controller I did this

    [AuthorizeRoles(Role.Admin, Role.Manager)]
    [AuthorizeRoles(Role.MyEnum.Admin)] // added 
    public IActionResult Index()
    {
        return Content("hello world");
    }

I have looked at these answers but it doesn't work

@SᴇM at first it was, then I changed it to [smart-enum](https://www.meziantou.net/2018/11/05/smart-enums-type-safe-enums-in-net) — Hoshani, Apr 17 '19 at 12:10
Your smart-enum is not an enum, so that will not work. Using a real enum will do the trick. — thehennyy, Apr 17 '19 at 12:13
Attributes can't do this, you need constant expressions as the compiler says. Enums or strings are probably your best option here. — Lasse V. Karlsen, Apr 17 '19 at 12:13
You can still refer to things, you could do something like `[AuthorizeRole(typeof(Role), nameof(Role.Admin))]`, you would need to use reflection to go get the actual field or property value though. — Lasse V. Karlsen, Apr 17 '19 at 12:14
@thehennyy I have done it with enum still the same issue happens — Hoshani, Apr 17 '19 at 12:16
@ChayimFriedman on this line (and the one below it) `[AuthorizeRoles(Role.Admin, Role.Manager)]` — Hoshani, Apr 17 '19 at 12:35
For me a simple enum compiles fine: https://dotnetfiddle.net/dfvzOH — thehennyy, Apr 17 '19 at 12:43

score 5 · Accepted Answer · answered Apr 17 '19 at 12:52

Because of the CLR constraints (how attributes stored in the metadata), atribute paramters can be only primitive types or arrays of those (and Types). You can't pass a Role (a custom object) to an attribute.

Enums are valid, but the compiler cannot convert your enum (Role.MyEnum) to Role, which is the type that the constructor of AuthorizeRoles requires. So this is a compiler error.

As you can guess, the solution is to create a constructor that take array of Role.MyEnum, as the following:

public class AuthorizeRoles : Attribute
{
    public string Roles { get; private set; }

    public AuthorizeRoles(params Role.MyEnum[] roles)
    {
        string allowed = string.Join(", ", roles);
        Roles = allowed;
    }
}

public class Role
{
    public readonly string Name;

    public enum MyEnum
    {
        Admin,
        Manager
    }

    public Role(string name)
    {
        Name = name;
    }

    public override string ToString()
    {
        return Name;
    }
}

// ...

[AuthorizeRoles(Role.MyEnum.Admin)]
public IActionResult Index()
{
    // ...
}

score 2 · Answer 2 · answered Apr 17 '19 at 12:44

2

It admittedly sucks, but the closest you can really get to this here is doing something like:

public static class Roles
{
    public const string Admin = "Admin";
    public const string Manager = "Manager";
}

And then:

[Authorize(Roles = Roles.Admin + "," + Roles.Manager)]

Between the combo of constant strings and in place string concatenation, it's all still a "constant expression". What you cannot do is basically anything that requires a method to be run such as string.Join. That's the breaks of the game when using attributes.

answered Apr 17 '19 at 12:44

Chris Pratt

232,153
36
385
444

You're likely still using your "smart enum", which won't work. It requires newing up objects, which are not constants. I provided the the example static class for a reason. That's the only way that will work. – Chris Pratt Apr 17 '19 at 12:53
Because you can't use `ToString()`. The *only* way it will work is exactly as I posted in my answer. You keep trying other stuff and then telling it doesn't work. Of course it doesn't. This is your only option if you don't want to hardcode the string values on the attribute itself. Period. – Chris Pratt Apr 17 '19 at 12:59

score 2 · Answer 3 · answered Apr 17 '19 at 12:48

In constructor AuthorizeRoles class you use array of Role class, but in attribute [AuthorizeRoles(Role.MyEnum.Admin)] you use parameter of type MyEnum. if you want use enum, you must create AuthorizeRoles class constructor with parameter of MyEnum type.

Rudresha Parameshappa · Answer 4 · 2019-04-17T13:02:39.850

Use constants for policy names and use authorization policies

// startup.cs

services.AddAuthorization(options =>
        {
            options.AddPolicy(PolicyConstants.Admin, policy =>
            {
                // Allowed to access the resource if role admin or manager
                policy.RequireClaim(JwtClaimTypes.Role, new[] { PolicyConstants.Admin, PolicyConstants.Manager });

               // Or use LINQ here
                policy.RequireAssertion(c =>
                {

                    // c.User.Claims
                });
}

In the controller use policy name

[Authorize(PolicyConstants.Admin)]
public class TestController
{
    // here also you can use specific policy and for controller, you can use other policy. It will match Action Level policy first and then match controller policy.
    public IActionResult Index()
    {
    }
}

Can not have [Authorize()] with dynamic code inside

4 Answers4