Policy-based authorization in Oqtane
In Startup.cs each Policy define list of permission requiremants. Each PremissionRequiremant is consists of EntityName and PermissionName.
In Oqtane database we have all Permissions.
Each user identity get its clams thast contain user Permissions
PermissionHandler is Oqtane implementation of AuthorizationHandler<TRequirement> : IAuthorizationHandler. In method HandleRequirementAsync is decided do user have required permissions or not based on httpContext, AuthorizationHandlerContext and permission requiremants.
For Oqtane:
// permission is scoped based on EntityId which must be passed as a querystring parameter
Options
[Authorize(Policy = PolicyNames.ViewPage)]
[Authorize(Policy = PolicyNames.EditPage)]
[Authorize(Policy = PolicyNames.ViewModule)]
[Authorize(Policy = PolicyNames.EditModule)]
[Authorize(Policy = PolicyNames.ViewFolder)]
[Authorize(Policy = PolicyNames.EditFolder)]
[Authorize(Policy = PolicyNames.ListFolder)]
Notes
Recomended to secure Controller, because it dynamic.
Multiple polices are allowed.
[Authorize(Policy = PolicyNames.ListFolder, PolicyNames.ViewFolder)]
Also possible to secure razore page.
More info
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-5.0
Role-based authorization in Oqtane
Options
[Authorize(Roles = RoleNames.Everyone)]
[Authorize(Roles = RoleNames.Host)]
[Authorize(Roles = RoleNames.Admin)]
[Authorize(Roles = RoleNames.Registered)]
Notes
Not recomented, because it is not all dynamic.
Multiple roles are allowed.
[Authorize(Roles = RoleNames.Admin,RoleNames.Registered)]
Can combine with polices.
[Authorize(Roles = RoleNames.Admin,Policy = PolicyNames.EditPage)]
More info
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-5.0