How to implement Permission Based Access Control with Asp.Net Core

by

Based on the comments, here an example on how to use the policy based authorization: 

public class PermissionRequirement : IAuthorizationRequirement
{
    public PermissionRequirement(PermissionEnum permission)
    {
         Permission = permission;
    }

    public PermissionEnum Permission { get; }
}

public class PermissionHandler : AuthorizationHandler<PermissionRequirement>
{
    private readonly IUserPermissionsRepository permissionRepository;

    public PermissionHandler(IUserPermissionsRepository permissionRepository)
    {
        if(permissionRepository == null)
            throw new ArgumentNullException(nameof(permissionRepository));

        this.permissionRepository = permissionRepository;
    }

    protected override void Handle(AuthorizationContext context, PermissionRequirement requirement)
    {
        if(context.User == null)
        {
            // no user authorizedd. Alternatively call context.Fail() to ensure a failure 
            // as another handler for this requirement may succeed
            return null;
        }

        bool hasPermission = permissionRepository.CheckPermissionForUser(context.User, requirement.Permission);
        if (hasPermission)
        {
            context.Succeed(requirement);
        }
    }
}

And register it in your Startup class: 

services.AddAuthorization(options =>
{
    UserDbContext context = ...;
    foreach(var permission in context.Permissions) 
    {
        // assuming .Permission is enum
        options.AddPolicy(permission.Permission.ToString(),
            policy => policy.Requirements.Add(new PermissionRequirement(permission.Permission)));
    }
});

// Register it as scope, because it uses Repository that probably uses dbcontext
services.AddScope<IAuthorizationHandler, PermissionHandler>();

And finally in the controller

[HttpGet]
[Authorize(Policy = PermissionEnum.PERSON_LIST.ToString())]
public ActionResult Index(PersonListQuery query)
{
    ...
}

The advantage of this solution is that you can also have multiple handlers for a requirement, i.e. if first one succeed the second handler can determine it’s a fail and you can use it with resource based authorization with little extra effort.

The policy based approach is the preferred way to do it by the ASP.NET Core team.

From blowdart:

We don’t want you writing custom authorize attributes. If you need to do that we’ve done something wrong. Instead you should be writing authorization requirements.

More Related Contents:

  1. How do I get the contents of a JSON file I added in the StartUp method to use it in one of my actions?
  2. @Html.Action in Asp.Net Core
  3. MVC/JQuery validation does not accept comma as decimal separator
  4. Mock HttpContext for unit testing a .NET core MVC controller?
  5. How to use npm with ASP.NET Core
  6. How to create roles in ASP.NET Core and assign them to users?
  7. Can Razor Class Library pack static files (js, css etc) too?
  8. Where are the ControllerContext and ViewEngines properties in MVC 6 Controller?
  9. How to know the selected checkboxes from within the HttpPost Create action method?
  10. How do I setup multiple auth schemes in ASP.NET Core 2.0?
  11. Where is Request.IsAjaxRequest() in Asp.Net Core MVC?
  12. TempData null in asp.net core
  13. Avoid or control circular references in Entity Framework Core
  14. ASP.NET Core middleware vs filters
  15. Multiple Authorization attributes on method
  16. How to use SqlClient in ASP.NET Core?
  17. AddIdentity vs AddIdentityCore
  18. Dealing with large file uploads on ASP.NET Core 1.0
  19. How do I transform appsettings.json in a .NET Core MVC project?
  20. An error occurred attempting to determine the process id of dotnet.exe which is hosting your application. One or more error occured
  21. Unable to resolve service for type ‘Microsoft.AspNetCore.Identity.UserManager` while attempting to activate ‘AuthController’
  22. How do you handle multiple submit buttons in ASP.NET MVC Framework?
  23. ASP.NET MVC – Attaching an entity of type ‘MODELNAME’ failed because another entity of the same type already has the same primary key value
  24. How to get the current user in ASP.NET MVC
  25. Why can’t I use System.IO.File methods in an MVC controller?
  26. .NET Core and System.Drawing
  27. Update multiple records at once in asp.net mvc
  28. Complex object and model binder ASP.NET MVC
  29. Formatting DateTime in ASP.NET Core 3.0 using System.Text.Json
  30. Working example for JavaScriptResult in asp.net mvc

Leave a Comment