public class RequireAllPermissions : AuthorizeAttribute
    {
        readonly Permission.PermissionKey[] _permissions;

        IUserLogic _userLogic { get { return UnityConfig.GetConfiguredContainer().Resolve<IUserLogic>(); } }
        IPermissionLogic _permissionLogic { get { return UnityConfig.GetConfiguredContainer().Resolve<IPermissionLogic>(); } }

        public RequireAllPermissions(params Permission.PermissionKey[] permissions)
        {
            _permissions = permissions;
        }

        protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            return RequireAllPermissionsValidator.Validate(actionContext, _permissions, _userLogic, _permissionLogic);
        }
    }

  public static class RequireAllPermissionsValidator
    {
        internal static bool Validate(HttpActionContext actionContext, Permission.PermissionKey[] permissions, IUserLogic userLogic, IPermissionLogic permissionLogic)
        {
            var identity = System.Threading.Thread.CurrentPrincipal.Identity as BasicAuthenticationIdentity;

            if (identity == null)
                ValidatorHelpers.ChallengeAuthRequest(actionContext, HttpStatusCode.Forbidden);
            if (permissions == null)
                ValidatorHelpers.ChallengeAuthRequest(actionContext, HttpStatusCode.Forbidden);
            var user = userLogic.GetUserByThreadIdentity();

            foreach (var permissionKey in permissions)
            {
                if (!permissionLogic.UserHasPermissionInRole(user, permissionKey))
                    ValidatorHelpers.ChallengeAuthRequest(actionContext, HttpStatusCode.Forbidden);
            }

            return true;
        }
   }