Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Permission based authorization .net identity

I am new to .NET, MVC & Identity Framework. I noticed the identity framework allows for securing individual controller actions via annotations.

[Authorize]
public ActionResult Edit(int? Id){
    //edit action
}

I would like to secure certain actions based on user permissions.

Example : A blog application where only the user who created a blog post can edit.

With this in mind, is it possible to perform either option below? If so, are there resources and examples on how to best achieve?

[Authorize(Entity = "Entry", Permission = "Edit", Id = Id)]
public ActionResult Edit(int? Id){
    //edit action
}

or

[BlogEntryPermission(Permission = "Edit", Id = Id)]
public ActionResult Edit(int? Id){
    //edit action
}

Where blog Id is captured from the request.

Any information or direction on permission based authentication would be most appreciated. Thanks in advance for your help.

like image 807
Mike Croteau Avatar asked Nov 20 '14 19:11

Mike Croteau


People also ask

What is permission based authorization?

In short, permission-based access control defines permissions to each system's user. On the other hand, role-based access control specifies permissions to a set of roles of a system, roles assigned to each user.

What is an advantage of using a policy-based authorization instead of a role based one?

By using Policy-based & Role-based Authorization process, we can provide access to particular area of application to the user based on the Role/Policy of the user.

How does .NET authorization work?

Authorization in ASP.NET Core is controlled with AuthorizeAttribute and its various parameters. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. Now only authenticated users can access the Logout function.


1 Answers

You can implement your custom AuthorizationAttribute where you will specify your parameters and can get a blogId from request

public class AuthorizeEntryPermission : AuthorizeAttribute
{
        public string Permission { get; set; }

        public AuthorizeEntryPermission(){
        }

        public AuthorizeEntryPermission(string Permission)
        {
            this.Permission = Permission;
        }

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
             var id = context.Request.RequestContext.RouteData.Values["Id"];
             //check your permissions
        }

        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            if (AuthorizeCore(filterContext.HttpContext))
            {
                // ** IMPORTANT **
                // Since we're performing authorization at the action level, the authorization code runs
                // after the output caching module. In the worst case this could allow an authorized user
                // to cause the page to be cached, then an unauthorized user would later be served the
                // cached page. We work around this by telling proxies not to cache the sensitive page,
                // then we hook our custom authorization code into the caching mechanism so that we have
                // the final say on whether a page should be served from the cache.

                HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
                cachePolicy.SetProxyMaxAge(new TimeSpan(0));
                cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
            }
            else
            {
                //handle no permission
            }
        }

        private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
        {
            validationStatus = OnCacheAuthorization(new HttpContextWrapper(context));
        }
    }

Then use it like this:

[AuthorizeEntryPermission(Permission = "Edit")]
public ActionResult Edit(int? Id){
    //edit action
}
like image 135
Vsevolod Goloviznin Avatar answered Oct 30 '22 15:10

Vsevolod Goloviznin