AllowAnonymous can override AuthorizeAttribute

aspnet#309

Author: sebastienros

src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeAttribute.cs

@@ -50,7 +50,7 @@ public override async Task OnAuthorizationAsync([NotNull] AuthorizationContext c
                     user.Identity == null || 
                     !user.Identity.IsAuthenticated;
 
-                    if(userIsAnonymous)
+                    if(userIsAnonymous && !HasAllowAnonymous(context))
                     {
                         base.Fail(context);
                     }

test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeAttributeTests.cs

@@ -45,6 +45,26 @@ public async Task Invoke_EmptyClaimsShouldRejectAnonymousUser()
             Assert.NotNull(authorizationContext.Result);
         }
 
+        [Fact]
+        public async Task Invoke_EmptyClaimsWithAllowAnonymousAttributeShouldNotRejectAnonymousUser()
+        {
+            // Arrange
+            var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
+            var authorizeAttribute = new AuthorizeAttribute();
+            var authorizationContext = GetAuthorizationContext(services => 
+                services.AddInstance<IAuthorizationService>(authorizationService),
+                anonymous: true
+                );
+
+            authorizationContext.Filters.Add(new AllowAnonymousAttribute());
+
+            // Act
+            await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
+
+            // Assert
+            Assert.Null(authorizationContext.Result);
+        }
+
         [Fact]
         public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser()
         {