Authorize and AllowAnonymous attributes - ASP.NET Core Tutorial

- [Instructor] We're going start this chapter by talking about simple authorization and simple authorization is about checking if authenticated or not, without caring about the role of the user, the claims, policies, et cetera. And to achieve that goal, we need to use the Authorize and AllowAnonymous attributes. So let us go to our project and see how we can use these attributes to achieve what we need. After you open the project in Visual Studio, go to Solution Explorer and inside the solution you're going to see that we have an app. This is an ASP.NET Core MVC app so in here, we have the Controllers folder. We're going to work with the HomeController.cs file but before we start working, let us run our application and see what we have. We see that in our app, we have three main sections so we have the Admin dashboard, we have the Teacher dashboard and we have the Student dashboard. Now so far, we see that we can access any of these dashboards without being authenticated. Let us say we want the users to be authenticated whenever they want to access any of these dashboards. So for that, let us go to our Home controller. In Home controller, we see that we have three actions. We have the Admin action, which renders the view for the Admin dashboard. We have the Student action, which renders the view for the Student dashboard and the Teacher action. If you want the users to be authenticated, when accessing any of these dashboards, you can either put the Authorize attribute in front of each action, or you can just put the Authorize attribute in front of the Home controller, which means that for any action that is within this controller, the user needs to be authenticated. So let us save the changes and run the application one more time. We see that when we go to the Teacher dashboard, we are redirected to a login page and here we have an error which says that we cannot access the /Home/Teacher because we are not authenticated. Now, /Home/Teacher in here stands for Home controller and Teacher action. Let us go to Student, we get the same, and if we go to Admin, since this is our home page, we just see a slash. Let's say we want the users to be authenticated only for the Admin and the Teacher dashboard. But they can access the Student dashboard without being authenticated. Let us go one more time to Visual Studio. Here, in front of the Student ActionResult. Let us use the AllowAnonymous attribute. Now, what this means is that by using the AllowAnonymous attribute, we don't ask the users to be authenticated whenever they want to access this ActionResult. But for the other ones, for the Teacher and Admin, they need to be authenticated because we still have the Authorize attribute in line 12. Let us run our project. So in here, let us go to the Teacher dashboard. We see that we need to be authenticated the same way in the Admin dashboard, but when go to the Student and we see that we can access the Student dashboard without being authenticated. Let us now say that we want the users to be authenticated only when they want to access the Student dashboard but when they want to go to Teachers or Admin, they don't have to be authenticated. So let us go one more time to Visual Studio. In here, in line 17, let us change the value of AllowAnonymous to Authorize and just remove the line 12. Let us save the changes and run the application one more time. So now when we go to the Teacher or Admin section, we can see the dashboards without being authenticated but when we want to go to Student, we need to provide the credentials because we need to be authenticated to access the Student dashboard. Now before we go to the next part, it is important to mention that the AllowAnonymous attribute always can override the Authorize attribute. So for example, let us go to our Visual Studio. In here, if I put the AllowAnonymous attribute in front of the Home controller, this means that even though we have the Authorize attribute in line 17 for the action Student, the AllowAnonymous attribute over here is going to override it. So now, we don't need to be authenticated to access the Student action. So let us run the application one more time. And if we go anywhere, we see that we don't need to be authenticated to access the dashboards.