Different API functionality for different roles
up vote
4
down vote
favorite
I have API with asp.net core 2.1. Claims-based authentication. Is it possible to combine these two api function in one?
[Authorize(Roles = "Admin")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
[Authorize]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
var id = int.Parse(User.FindFirst(ClaimTypes.NameIdentifier).Value);
if (_itemService.IsAuthor(id))
{
_itemService.Delete(item.Id);
return Ok();
}
return Forbid();
}
Or should I just check the role inside method?
c# asp.net-core asp.net-core-2.0
edited Nov 7 at 9:00
Kirk Larkin
17k33452
asked Nov 7 at 8:55
Alexey Korsakov
678
add a comment |
up vote
4
down vote
favorite
I have API with asp.net core 2.1. Claims-based authentication. Is it possible to combine these two api function in one?
[Authorize(Roles = "Admin")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
[Authorize]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
var id = int.Parse(User.FindFirst(ClaimTypes.NameIdentifier).Value);
if (_itemService.IsAuthor(id))
{
_itemService.Delete(item.Id);
return Ok();
}
return Forbid();
}
Or should I just check the role inside method?
c# asp.net-core asp.net-core-2.0
edited Nov 7 at 9:00
Kirk Larkin
17k33452
asked Nov 7 at 8:55
Alexey Korsakov
678
Resource-based authorization might be useful here.
– Kirk Larkin
Nov 7 at 8:59
May be having a custom policy with Authorization handler be the best choice in this case. docs.microsoft.com/en-us/aspnet/core/security/authorization/…
– user2884707bond
Nov 7 at 14:36
add a comment |
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I have API with asp.net core 2.1. Claims-based authentication. Is it possible to combine these two api function in one?
[Authorize(Roles = "Admin")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
[Authorize]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
var id = int.Parse(User.FindFirst(ClaimTypes.NameIdentifier).Value);
if (_itemService.IsAuthor(id))
{
_itemService.Delete(item.Id);
return Ok();
}
return Forbid();
}
Or should I just check the role inside method?
c# asp.net-core asp.net-core-2.0
edited Nov 7 at 9:00
Kirk Larkin
17k33452
asked Nov 7 at 8:55
Alexey Korsakov
678
I have API with asp.net core 2.1. Claims-based authentication. Is it possible to combine these two api function in one?
[Authorize(Roles = "Admin")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
[Authorize]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
var id = int.Parse(User.FindFirst(ClaimTypes.NameIdentifier).Value);
if (_itemService.IsAuthor(id))
{
_itemService.Delete(item.Id);
return Ok();
}
return Forbid();
}
Or should I just check the role inside method?
c# asp.net-core asp.net-core-2.0
c# asp.net-core asp.net-core-2.0
edited Nov 7 at 9:00
Kirk Larkin
17k33452
asked Nov 7 at 8:55
Alexey Korsakov
678
edited Nov 7 at 9:00
Kirk Larkin
17k33452
asked Nov 7 at 8:55
Alexey Korsakov
678
edited Nov 7 at 9:00
Kirk Larkin
17k33452
edited Nov 7 at 9:00
Kirk Larkin
17k33452
edited Nov 7 at 9:00
Kirk Larkin
17k33452
17k33452
asked Nov 7 at 8:55
Alexey Korsakov
678
asked Nov 7 at 8:55
Alexey Korsakov
678
asked Nov 7 at 8:55
Alexey Korsakov
678
678
Resource-based authorization might be useful here.
– Kirk Larkin
Nov 7 at 8:59
May be having a custom policy with Authorization handler be the best choice in this case. docs.microsoft.com/en-us/aspnet/core/security/authorization/…
– user2884707bond
Nov 7 at 14:36
add a comment |
Resource-based authorization might be useful here.
– Kirk Larkin
Nov 7 at 8:59
May be having a custom policy with Authorization handler be the best choice in this case. docs.microsoft.com/en-us/aspnet/core/security/authorization/…
– user2884707bond
Nov 7 at 14:36
Resource-based authorization might be useful here.
– Kirk Larkin
Nov 7 at 8:59
Resource-based authorization might be useful here.
– Kirk Larkin
Nov 7 at 8:59
May be having a custom policy with Authorization handler be the best choice in this case. docs.microsoft.com/en-us/aspnet/core/security/authorization/…
– user2884707bond
Nov 7 at 14:36
May be having a custom policy with Authorization handler be the best choice in this case. docs.microsoft.com/en-us/aspnet/core/security/authorization/…
– user2884707bond
Nov 7 at 14:36
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
For checking the permission with whether the user is Admin or Author, you could implement multiple requirements as the doc from @user2884707bond.
For using the multiple requrements for your scenario.
You could follow steps below:
PermissionHandler.cs
public class PermissionHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ReadPermission)
{
if (IsOwner(context.User, context.Resource) ||
IsAdmin(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
else if (requirement is EditPermission ||
requirement is DeletePermission)
{
if (IsOwner(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
}
return Task.CompletedTask;
}
private bool IsAdmin(ClaimsPrincipal user, object resource)
{
if (user.IsInRole("Admin"))
{
return true;
}
return false;
}
private bool IsOwner(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
private bool IsSponsor(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
}
Requirements
public class ReadPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class EditPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class DeletePermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
Register
RequirementinStartup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission()));
});
services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
Use
[Authorize(Policy = "Read")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
answered Nov 8 at 5:17
Tao Zhou
3,62721026
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
For checking the permission with whether the user is Admin or Author, you could implement multiple requirements as the doc from @user2884707bond.
For using the multiple requrements for your scenario.
You could follow steps below:
PermissionHandler.cs
public class PermissionHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ReadPermission)
{
if (IsOwner(context.User, context.Resource) ||
IsAdmin(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
else if (requirement is EditPermission ||
requirement is DeletePermission)
{
if (IsOwner(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
}
return Task.CompletedTask;
}
private bool IsAdmin(ClaimsPrincipal user, object resource)
{
if (user.IsInRole("Admin"))
{
return true;
}
return false;
}
private bool IsOwner(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
private bool IsSponsor(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
}
Requirements
public class ReadPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class EditPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class DeletePermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
Register
RequirementinStartup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission()));
});
services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
Use
[Authorize(Policy = "Read")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
answered Nov 8 at 5:17
Tao Zhou
3,62721026
add a comment |
up vote
1
down vote
accepted
For checking the permission with whether the user is Admin or Author, you could implement multiple requirements as the doc from @user2884707bond.
For using the multiple requrements for your scenario.
You could follow steps below:
PermissionHandler.cs
public class PermissionHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ReadPermission)
{
if (IsOwner(context.User, context.Resource) ||
IsAdmin(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
else if (requirement is EditPermission ||
requirement is DeletePermission)
{
if (IsOwner(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
}
return Task.CompletedTask;
}
private bool IsAdmin(ClaimsPrincipal user, object resource)
{
if (user.IsInRole("Admin"))
{
return true;
}
return false;
}
private bool IsOwner(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
private bool IsSponsor(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
}
Requirements
public class ReadPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class EditPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class DeletePermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
Register
RequirementinStartup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission()));
});
services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
Use
[Authorize(Policy = "Read")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
answered Nov 8 at 5:17
Tao Zhou
3,62721026
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
For checking the permission with whether the user is Admin or Author, you could implement multiple requirements as the doc from @user2884707bond.
For using the multiple requrements for your scenario.
You could follow steps below:
PermissionHandler.cs
public class PermissionHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ReadPermission)
{
if (IsOwner(context.User, context.Resource) ||
IsAdmin(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
else if (requirement is EditPermission ||
requirement is DeletePermission)
{
if (IsOwner(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
}
return Task.CompletedTask;
}
private bool IsAdmin(ClaimsPrincipal user, object resource)
{
if (user.IsInRole("Admin"))
{
return true;
}
return false;
}
private bool IsOwner(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
private bool IsSponsor(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
}
Requirements
public class ReadPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class EditPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class DeletePermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
Register
RequirementinStartup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission()));
});
services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
Use
[Authorize(Policy = "Read")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
answered Nov 8 at 5:17
Tao Zhou
3,62721026
For checking the permission with whether the user is Admin or Author, you could implement multiple requirements as the doc from @user2884707bond.
For using the multiple requrements for your scenario.
You could follow steps below:
PermissionHandler.cs
public class PermissionHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ReadPermission)
{
if (IsOwner(context.User, context.Resource) ||
IsAdmin(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
else if (requirement is EditPermission ||
requirement is DeletePermission)
{
if (IsOwner(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
}
return Task.CompletedTask;
}
private bool IsAdmin(ClaimsPrincipal user, object resource)
{
if (user.IsInRole("Admin"))
{
return true;
}
return false;
}
private bool IsOwner(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
private bool IsSponsor(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
}
Requirements
public class ReadPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class EditPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class DeletePermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
Register
RequirementinStartup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission()));
});
services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
Use
[Authorize(Policy = "Read")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
answered Nov 8 at 5:17
Tao Zhou
3,62721026
answered Nov 8 at 5:17
Tao Zhou
3,62721026
answered Nov 8 at 5:17
Tao Zhou
3,62721026
answered Nov 8 at 5:17
Tao Zhou
3,62721026
3,62721026
add a comment |
add a comment |
draft saved
draft discarded
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53186143%2fdifferent-api-functionality-for-different-roles%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Resource-based authorization might be useful here.
– Kirk Larkin
Nov 7 at 8:59
May be having a custom policy with Authorization handler be the best choice in this case. docs.microsoft.com/en-us/aspnet/core/security/authorization/…
– user2884707bond
Nov 7 at 14:36