Policy-based authorization in Oqtane

In Startup.cs each Policy define list of permission requiremants. Each PremissionRequiremant is consists of EntityName and PermissionName.

In Oqtane database we have all Permissions.

Each user identity get its clams thast contain user Permissions 

PermissionHandler is Oqtane implementation of AuthorizationHandler<TRequirement> : IAuthorizationHandler. In method HandleRequirementAsync is decided do user have required permissions or not based on httpContext, AuthorizationHandlerContext and permission requiremants.

For Oqtane:

// permission is scoped based on EntityId which must be passed as a querystring parameter

Options

[Authorize(Policy = PolicyNames.ViewPage)]
[Authorize(Policy = PolicyNames.EditPage)]
[Authorize(Policy = PolicyNames.ViewModule)]
[Authorize(Policy = PolicyNames.EditModule)]
[Authorize(Policy = PolicyNames.ViewFolder)]
[Authorize(Policy = PolicyNames.EditFolder)]
[Authorize(Policy = PolicyNames.ListFolder)]

Notes

Recomended to secure Controller, because it dynamic.

Multiple polices are allowed.

[Authorize(Policy = PolicyNames.ListFolder, PolicyNames.ViewFolder)]

Also possible to secure razore page.

More info

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-5.0

Role-based authorization in Oqtane

Options

[Authorize(Roles = RoleNames.Everyone)]
[Authorize(Roles = RoleNames.Host)]
[Authorize(Roles = RoleNames.Admin)]
[Authorize(Roles = RoleNames.Registered)]

Notes

Not recomented, because it is not all dynamic.

Multiple roles are allowed.

[Authorize(Roles = RoleNames.Admin,RoleNames.Registered)]

Can combine with polices.

[Authorize(Roles = RoleNames.Admin,Policy = PolicyNames.EditPage)]

More info

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-5.0