protected override bool IsAuthorized(HttpActionContext actionContext)
{
var actions = new List <Claim>();
var action = ActionFromAttribute();
if (action != null)
{
actions.Add(action);
}
actions.Add(actionContext.ActionFromController());
var resources = new List <Claim>();
var resourceList = ResourcesFromAttribute();
if (resourceList != null)
{
resources.AddRange(resourceList);
}
resources.AddRange(actionContext.ResourceFromController());
// filter "controller" since we're already adding it explicitly in the above code
var routeClaims = actionContext.ResourcesFromRouteParameters().Where(x => x.Type != "controller");
resources.AddRange(routeClaims);
return(CheckAccess(actionContext.Request, actions.ToArray(), resources.Distinct(new ClaimComparer()).ToArray()));
}