For the project I’m working on, I have to grant users access to pages. Pretty standard, ThinkTecture solved this problem long ago. Since this is a government project, they don’t understand the benefit of using a lot of outside packages. So, based off of a blog post from Dominick Baier on using claims based authorization in MVC, I build the following method:
public bool IsAllowedTo(string action, params string[] resources) { if (principal == null) { return false; } var authorized = false; foreach (var claimType in this.resources .Select(x => string.Format("urn:{0}/{1}", this.action, x))) { var claim = principal.FindFirst(claimType); if (claim == null) continue; bool value; if (bool.TryParse(claim.Value, out value)) authorized |= value; } return authorized; }
This is being called by a custom authorization attribute that inherits from AuthorizeAttribute
in the overriden AuthorizeCore
method.
This allows me to have permissions such as in the blog post:
[MyAuthorization("Read", "ControllerAction", "MyView")] public IActionResult ControllerAction()
This would mean that I would need a claim with the type “urn:Read/ControllerAction”or “urn:Read/MyView” with the value “true” to be able to view the page.
The ThinkTecture project goes a lot deeper and is a lot better, so use that if you can. If not, for the basic purpose here, this will check if a user has the correct claims.