DnnModuleAuthorize Attribute Always Returns Unauthorized in Web API

Question

I'm trying to use this attribute on methods in the web API for a custom module:

[DnnModuleAuthorize(AccessLevel = DotNetNuke.Security.SecurityAccessLevel.Edit)]

but no matter what SecurityAccessLevel I set, I always get a 401 unauthorized response.

I was able to make the code work by adding:

[AllowAnonymous]

on the method, and adding:

if (!ModulePermissionController.CanEditModuleContent(this.ActiveModule))
                return Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "You do not have permission to access this content.");

to the beginning of my method, but it seems like this is a workaround that I really shouldn't need because it's exactly what that attribute is there for. I'm running DNN 7.2.1.

Anyone have any idea where I'm going wrong with the attribute?

Answer 1

Turns out it was actually related to the anti-forgery token. I'm using Angular so I'm setting my headers manually in my Angular service rather than using the built-in ServicesFramework setModuleHeaders method and was only setting the TabId and ModuleId. I didn't think the [AllowAnonymous] attribute would override the anti-forgery stuff but it looks like it definitely does (which is good to know).

Full solution for those doing the same:

var baseUrl = sf.getServiceRoot('[yourmodulename]') + '[controller]';
    var config = {
        headers: {
            'ModuleId': sf.getModuleId(),
            'TabId': sf.getTabId(),
            'RequestVerificationToken': sf.getAntiForgeryValue()
        }
    };