For the project I’m working on, I have to grant users access to pages. Pretty standard, ThinkTecture solved this problem long ago. Since this is a government project, they don’t understand the benefit of using a lot of outside packages. So, based off of a blog post from Dominick Baier on using claims based authorization in MVC, I build the following method:
public bool IsAllowedTo(string action, params string[] resources)
{
if (principal == null)
{
return false;
}
var authorized = false;
foreach (var claimType in this.resources
.Select(x => string.Format("urn:{0}/{1}", this.action, x)))
{
var claim = principal.FindFirst(claimType);
if (claim == null)
continue;
bool value;
if (bool.TryParse(claim.Value, out value))
authorized |= value;
}
return authorized;
}
This is being called by a custom authorization attribute that inherits from AuthorizeAttribute in the overriden AuthorizeCore method.
This allows me to have permissions such as in the blog post:
[MyAuthorization("Read", "ControllerAction", "MyView")]
public IActionResult ControllerAction()
This would mean that I would need a claim with the type “urn:Read/ControllerAction”or “urn:Read/MyView” with the value “true” to be able to view the page.
The ThinkTecture project goes a lot deeper and is a lot better, so use that if you can. If not, for the basic purpose here, this will check if a user has the correct claims.
