security: let database permissions override code-level AllowAnonymous

shesha-core/src/Shesha.Application/Authorization/ApiAuthorizationHelper.cs

@@ -7,6 +7,7 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Shesha.Configuration.Security;
+using Shesha.Domain.Enums;
 using Shesha.Extensions;
 using Shesha.Permissions;
 using Shesha.Reflection;
@@ -44,9 +45,8 @@ public override async Task AuthorizeAsync(MethodInfo methodInfo, Type type)
                 return;
             }
 
-            if (type.HasAttribute<AllowAnonymousAttribute>() || methodInfo.HasAttribute<AllowAnonymousAttribute>()
-                || type.HasAttribute<AbpAllowAnonymousAttribute>() || methodInfo.HasAttribute<AbpAllowAnonymousAttribute>())
-                return;
+            var hasCodeAllowAnonymous = type.HasAttribute<AllowAnonymousAttribute>() || methodInfo.HasAttribute<AllowAnonymousAttribute>()
+                || type.HasAttribute<AbpAllowAnonymousAttribute>() || methodInfo.HasAttribute<AbpAllowAnonymousAttribute>();
 
             var shaServiceType = typeof(ApplicationService);
             var controllerType = typeof(ControllerBase);
@@ -61,19 +61,25 @@ public override async Task AuthorizeAsync(MethodInfo methodInfo, Type type)
                 return;
 
             var securitySettings = await _securitySettings?.SecuritySettings?.GetValueAsync();
-            var settings = securitySettings?.DefaultEndpointAccess;
+            var defaultAccess = securitySettings?.DefaultEndpointAccess;
 
-            if (settings == null)
+            if (defaultAccess == null)
                 throw new NullReferenceException("Cannot get DefaultEndpointAccess");
 
-            // ToDo: add RequireAll flag
+            // If code-level [AllowAnonymous] is present, use it as the fallback for Inherited.
+            // Database configuration with an explicit access level will still take precedence.
+            var replaceInherited = hasCodeAllowAnonymous
+                ? RefListPermissionedAccess.AllowAnonymous
+                : defaultAccess;
+
+            // Note: requireAll is intentionally false — multiple permissions are OR'd (any single permission grants access)
             await _objectPermissionChecker.AuthorizeAsync(
                 false,
                 typeName,
                 methodName,
                 ShaPermissionedObjectsTypes.WebApiAction,
                 AbpSession.UserId.HasValue,
-                settings
+                replaceInherited
             );
         }
     }

shesha-core/src/Shesha.Application/Authorization/SheshaAuthorizationFilter.cs

@@ -10,7 +10,6 @@
 using Abp.Events.Bus.Exceptions;
 using Abp.Web.Models;
 using Castle.Core.Logging;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
@@ -39,13 +38,6 @@ public SheshaAuthorizationFilter(
 
         public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
         {
-            var endpoint = context?.HttpContext?.GetEndpoint();
-            // Allow Anonymous skips all authorization
-            if (endpoint?.Metadata.GetMetadata<IAllowAnonymous>() != null)
-            {
-                return;
-            }
-
             if (!context.ActionDescriptor.IsControllerAction())
             {
                 return;