Last post May 04, 2018 03:05 AM by Edward Z
May 02, 2018 06:57 PM|__Nicolai|LINK
An example to make it more clear what I mean:
User U1 creates a blog
B1 and only this user will have access to edit/view and delete it initially.
Now user U2 applies for viewing/editing rights for blog B1
(Could be via a button). The request will then be confirmed/denied by the owner
After confirmation is done, user U2 will now have the rights to view/edit blog
I want to use as much of Asp.Net Core Identity, Entity Framework, Action-Attributes and other Built-in tools/frameworks as possible in order to avoid to much custom code.
I am not an expert in any of the authorization tools, claims, roles, resources, policies but I have read about all of them and I cant seem to connect/combine one or more of them to resolve my example above.
Could someone please guide me/give me some feedback on where to begin? Do not hesitate to ask for more information or questions.
My own idea is to create a database that stores user id, authorization type and blog id and then run through that database with a custom authorization handler placed on all actions. But this doesnt strike me as a good solution.
Edit 1 - AuthorizationHandler
var context = *injected context";
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, Blog resource)
var hasPermission = context.CheckPermissionForUser(context.User, resource.Id, requirement.Permission);
May 03, 2018 02:24 AM|Edward Z|LINK
>> My own idea is to create a database that stores user id, authorization type and blog id and then run through that database with a custom authorization handler placed on all actions.
I agree with you on this way.
For authenticating the Blog resource with different operations, Resource-based authentication would be better. Which makes you think it is no good solution.
For HandleRequirementAsync, you could check whether userid, blodid and operation type exist in the table.
# Operational requirements
May 03, 2018 05:13 AM|Khuram.Shahzad|LINK
You need to manage it by your custom business logic because if you some thing global then you can define a claim like Application Level Claim is EditBlogPersmission but issue is there is a specific work flow by which it get decided that on a particular blog
a user have permission so i think that you need to have a UserBlogPermission table and then you need to store permission related info in it.
UserId - BlogId - PermissionType
Now you have it , you can use it.
May 03, 2018 04:26 PM|__Nicolai|LINK
Thanks for your reply.
Could you write a pseudo code HandleRequirementAsync method that illustrates your thinking?
May 04, 2018 03:05 AM|Edward Z|LINK
I see you added some code in your original post.
Do you mean you do not know how you access DbContext in the HandleRequirementAsync?
If so, you could try something like below:
public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement>
private readonly IServiceProvider _serviceProvider;
public MinimumAgeHandler(IServiceProvider serviceProvider)
_serviceProvider = serviceProvider;
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
using (var scope = _serviceProvider.GetRequiredService<IServiceScopeFactory>().CreateScope())
var dbContext = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();