server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon graphql-dotnet

Support [AllowAnonymous] along with [Authorize]

Open Shane32 opened this issue 6 months ago • 0 comments

This allows bypassing parent type's authorization while defining new requirements on the field. Previously any requirements on the field were ignored.

Sample:

# .AuthorizeWithRoles("Admin")
type Mutation {
  createUser(name: String!): String # requires Admin role

  # .AllowAnonymous()
  # .Authorize()
  updateOwnProfile(email: String!): Boolean # requires any authenticated user

  # .AllowAnonymous()
  submitFeedback(message: String!): Boolean # anonymous user
}

Recently I found that I had assumed that .AllowAnonymous() would stack with .Authorize(), but this was not the case. So, is this a security bug fix, or a new feature? Not sure, but I don't think it warrants a major version bump. All prior tests pass.

Shane32 avatar Jun 12 '25 03:06 Shane32