Auth: Implement Resource based Policy - Output a 404 Forbidden #1573 | Support

rkoepferl created 3 years ago

I have some problems getting the big picture of your design of Controllers, AppServices and the common Interface.

Let's take as a sample

interface IFooAppService
{
    Task<FooDto> GetFooAsync(Guid id);
}

class FooAppService: IFooAppService {..}
class FooAppController: IFooAppService {..}

Maybe I have to solve the whole thing different. but lets considder my current situation:

In GetFooAsync() I want to restrict access to the API. As in the ASP.Net samples I want to ensure the Author is the same as the user. Therefore I have to get the entity, first.

where would I actually do my check? Obviously in the AppService because this is where I get my entity, first. (But ASP.Net Authorisation suggests to use the ClaimsPrincipal. Therefore the Controller seems to be the place to write code: Like so: var authorizationResult = await _authorizationService.AuthorizeAsync(User, Document, Operations.Read);
Consider the authorized check works like a snap. So, eventualy I have to branch with an if(authorized) What would I do in the Forbidden case?

In good old Controller-Style I would return ForbidResult() but due to the interface I cannot do that because the compiler does not let me return an ActionResult, if my interface Result is a FooDto

should I change to Task<IActionResult> ? will it have any implications with the proper serialisation and the API generation abp generate proxy?

see https://docs.microsoft.com/en-gb/aspnet/core/security/authorization/resourcebased?view=aspnetcore-5.0

ABP Framework version: v4.3.2
UI type: Angular
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): no
Exception message and stack trace: --
Steps to reproduce the issue:"--

Auth: Implement Resource based Policy - Output a 404 Forbidden #1573

4 Answer(s)