This is not a duplicate question or rather the solutions given in other solutions have not worked.
Lets say there is a controller
[Authorize(Roles=//set dynamically)]
public IActionResult DashBoard(LoginModel model)
{
}
I have tried the solutions in the following questions
Add roles to authorize attribute
dynamically assign controller action permissions to roles
dynamically add roles to authorize attribute for controller (Error: Handle method - no suitable method found to override )
can policy based authorization be more dynamic
All of these solutions do not work as either the methods overridden in the interfaces are not present (eg. authorizeAttribute does not contain a definition for AuthorizeCore) or in some cases IServiceCollection services does not contain a particular method
You can't do that. [Authorize(Roles=//set dynamically)]
must be know at compile time. Also using roles for this very reason is discouraged as pointed in blowdart's linked post from comments.
Instead, you should use claims and policies. Claims are fine grained permissions, for example "CreateCustomer" or "DeleteCustomer" or "ViewDashboard".
So you have to use it like
[Authorize(Policy = "ViewDashboard")]
These policies need to be know at compile time.
public class ViewDashboardRequirement : AuthorizationHandler<ViewDashboardRequirement>, IAuthorizationRequirement
{
public override void Handle(AuthorizationContext context, ViewDashboardRequirement requirement)
{
if (context.User.HasClaim(c => c.Type == "dashboard:read"))
{
context.context.Succeed(requirement);
return;
}
// only call fail if you do not want that other AuthorizationHandler may succeed with
// a different requirement
// context.Fail();
}
}
For an example on how to generate a generic handler (instead of writing a new Handler for each policy) see my answer here.
This will allow you to create configurable roles. Now you can create roles which consists as a bag of claims. Each claim may be one policies. When the user logs in, you add the claims that belong to a role to the list of users claims.
i.e.
etc.
Update from Comments.
You should be able to utilize ASP.NET Core Identity's claim and roleclaim abilities w/o changing a line of code, therefor you have the
IdentityRole
andIdentityRoleClaim
classes. At runtime, you add a newIdentityRole
(i.e. "Manager") and then add multipleIdentityRoleClaim
(one for each permission/policy)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With