Open Closed

To Polycy or not to Policy #1580


User avatar
0
rkoepferl created

I have read and tried a lot to establish resource based access policies. Basically the classic: Only ever the creation user may access a resource (for simplicity) In order to judge whether the current user can access a resouce, we have to get the Entity, first - hence enter the handler. So [Authoirize]-Attributse are not useful.

Keeping an eye on https://docs.microsoft.com/en-gb/aspnet/core/security/authorization/resourcebased?view=aspnetcore-5.0 I came up with this:

        // create a policy based on claim audience
        context.Services.AddAuthorization(options =>
        {
            options.AddPolicy("CallRecordingAccessPolicy", policy => policy.Requirements.Add(new CallRecordingPolicy()));
        });

        context.Services.AddSingleton<IAuthorizationHandler, CallRecordingAuthorizationHandler>();

If you're creating a bug/problem report, please include followings:

CallRecordingPolicy being an empty class; "CallRecordingAccessPolicy" being never used anywhere else. The implementation of the Handler is somewhat evident and the AppService is doing something like that:

    public virtual async Task<CallRecordingDto> GetAsync(Guid id)
    {
        CallRecording recording = await _callRecordingRepository.GetAsync(id);
        AuthorizationResult result = await AuthorizationService.AuthorizeAsync(resource: recording, requirement: new CallRecordingPolicy());

        if (!result.Succeeded)

Essentially I use a lot of infrastructure with no real benefit. Also this is not right available in the DI container in the UnitTest. Testing is a bit cumbersome. And in fact I could just declare some other arbitrary class, hook it up to the DI-Container and use it as so:

public virtual async Task<CallRecordingDto> GetAsync(Guid id)
        {
            CallRecording recording = await _callRecordingRepository.GetAsync(id);
            bool result = await _callRecordingChecker.CanAccess( recording _currentUser);

            if (!result)
public class CallRecordingAuthorizationHandler : ITransientDependency
{
public Task<bool> CanAccess(CallRecording r, ICurrentUser cu)

So, why should I use the first approach over this second approach?

Advantage:

  • Simple, thats waht needed
  • easier to use in UnitTests
  • more Straight forward
  • automatically in the DI container

2 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Resource-based authorization in ASP.NET Core is standard way and is part of ASPNET Core Identity.

    It abstracts the AuthorizationHandler and allows you to customize the handler class.

    It’s actually easier to use the second way, they are both ok. you can choose the way you like

  • User Avatar
    0
    ServiceBot created
    Support Team Automatic process manager

    This question has been automatically marked as stale because it has not had recent activity.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11