I recently finished my first DNN module using the MVC template from Chris Hammond (https://github.com/ChrisHammond/DNNTe...
Now, I am trying to find a way to protect my AJAX POST calls, as they are accessible from outside the DNN platform.
You can test this by using a program like ARC (Advanced REST client).
If you enter the AJAX call URL and add the moduleid and tabid headers, the call will succeed, even if the user is not registered on your website.
Marking the controller method with the [DnnModuleAuthorize(AccessLevel = DotNetNuke.Security.SecurityAccessLevel.Admin)] or [DnnAuthorize(StaticRoles = "Administrators")] annotation does not seem to work, as the User accessing the method is only Administrator for the specific website, not a global Administrator.
The User.Roles variable holds the following entries: "Registered Users, Subscribers, Others".
Same for the [DnnModuleAuthorize(AccessLevel = DotNetNuke.Security.SecurityAccessLevel.Edit)] annotation. Although this seems to be a DNN bug, as the user is able to get into edit mode and is able to edit the module.
I also tried to check for the ModuleContext.EditMode bool to be true in my controller, but it is set to false for every AJAX call (even if the user has the right permissions). For non-AJAX calls, the bool is set correctly.
Is there any way to protect AJAX calls to only be accessible if the user has edit rights and is only administrator for the specific website?