AUTHORIZATION

AUTHORIZE BY ROLE WITH THE AUTHORIZE ATTRIBUTE

NET COREWith Authorize we can ask in addition to authentication to possess a certain role. In this post we will discuss role-based authorization, we have seen in previous posts that we have two macro groups, authenticated users and anonymous users. In turn among the authenticated users we have made a division, namely those who can create, edit, delete courses and this is the Teacher role and the administrators who are in charge of assigning roles to users. We will also see the Policies, in fact still our application has a flaw, namely by entering with the Teacher role a teacher can go and edit another teacher’s course. Policies are used to prevent this.

Autorizzazione

Only the Administrator user who is a trusted person chosen by our principal can authorize access. If the user wants to access the Razor Page shown above in the figure, he/she must have the role of Administrator.

Razor Page
Utenti

We see in MVC how authorization works, specifically the creation, modification and deletion of a course is up to the Teacher role.

Corsi
Accesso in MVC

The attribute Authorize should be put on the CoursesController and on the LessonsController. Let’s see how to authorize access to two or more roles.

Autorizzare più ruoli
Authorize

To access the Report action in the figure above you must have both roles, this is because the Authorize attributes are composable.

USE A POLICY FOR CUSTOM AUTHORIZATION LOGICS

There are situations where authorizing by role is still not enough; in fact, we now have a requirement to prevent one teacher from changing another teacher’s course. In this case we need to verify that the author who is editing or deleting a course is the author. To do all this we have to use Policy. A policy is interposed between the user and the resource, and if the user wants to change that resource he or she will have to meet all the requirements (bricks in the figure) of the policy.

Policy

Each brick represents a requirement that the user must meet to obtain the resource.

Policy
Policy

With the last line in the figure above and the Add method we are defining custom logic, which is very important.

Policy
Policy

Let’s see how to create the Requirement. You can find the code under the /Model/Authorization folder.

Requirement

The one who determines whether the Requirement is met is The AuthorizationHandler, he is the one who goes snooping through the user’s identity and eventually uses the services of Dependency Injection to determine whether the Requirement is met or not.

AuthorizationHandler
Creare un AuthorizationHandler
Registrare un Authorization Handler

ENFORCE A POLICY

Let us see with a summary diagram how the Policies are applied.

Criteri di autorizzazione
Applicare una policy a livello globale

IMPERATIVELY AUTHORIZE WITH IAUTHORIZATIONSERVICE

Our principal has determined that there is no limit to the number of courses a faculty member can publish; however, if the number is greater than or equal to five she wants to be notified by email. This is because by publishing many courses it may happen that some are a bit left out and inaccurate. To achieve the goal, I created a Policy always in /Models/Authorization that is called by the Action Create of the CoursesController. I’ll show you the code.

Action Create

LINK TO CODE ON GITHUB

GITHUB

Download the section18 code or the master branch or clone the GITHUB repository to have all the sections available in your favorite editor.