asp.net core razor pages. Authorize access for group of users

Question

My project contains several modules, each of it having its own folder in /Pages. The application may be used by several companies and I've already implemented a role base authorization for users but I want to limit access to each project folders for each company. What I have in mind is to have something similar with Roles [Authorize(Roles = "Management,Safety,Issuer,Receiver,IsoCert" )] but to be able to assign companies codes for accessing folders. How can this be achieved?

Sachin Singh · Answer

var orgAccess = _context.CompanyAccesses.where(x=>x.AccessCode==requirement.AccessCode).singleOrDefault(); if (orgAccess!=null) { context.Succeed(requirement); }

Sachin Singh · Answer

sir then the best is to create a custom authorize attribute with company code internal class CompanyAuthorizeAttribute : AuthorizeAttribute { const string POLICY_PREFIX = "CompanyName" ; public CompanyAuthorizeAttribute (string CompanyCode) => CompanyCode= CompanyCode; // Get or set the Age property by manipulating the underlying Policy property public string CompanyCode { get { if (Policy.Substring(POLICY_PREFIX.Length), out var CompanyCode)) { return CompanyCode; } return default (string); } set { Policy = $ "{POLICY_PREFIX}{value.ToString()}" ; } } } Now use as [CompanyAuthorize( "Company1" )] public IActionResult MyAction() { }

Sachin Singh · Answer

sir there is already an AuthorizeFolder fascility in core razor pages, just use that services.AddRazorPages(options => { options.Conventions.AuthorizeFolder( "/Private" ); options.Conventions.AllowAnonymousToFolder( "/Private/PublicPages" ); }); https://docs.microsoft.com/en-us/aspnet/core/security/authorization/razor-pages-authorization?view=aspnetcore-5.0

Marius Vasile · Answer

I managed to make it work now, in startup I had to add the following line options.AddPolicy( "PTW" , policy => policy.Requirements.Add( new AccessCodeRequirement( "RO-01" ))); }); services.AddTransient ();

Marius Vasile · Answer

I still have Access denied, either with orgAccess == null or orgAccess != null

Marius Vasile · Answer

I tyried to implement authorize with policy like below using System; using System.Security.Claims; using System.Threading.Tasks; using Microsoft.AspNetCore.Authorization; using RoSafety.Models; using System.Linq; using Microsoft.EntityFrameworkCore; using RoSafety.Data; public class AccessCodeRequirement : IAuthorizationRequirement { public string AccessCode { get ; set ; } public AccessCodeRequirement( string accessCode) { AccessCode = accessCode; } } public class AccessCodeHandler : AuthorizationHandler { private readonly ApplicationDbContext _context; protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AccessCodeRequirement requirement) { var userId = context.User.FindFirstValue(ClaimTypes.NameIdentifier); var orgID = _context.UsersData.Where(x => x.Id == userId).Select(x => x.OrgID).FirstOrDefault(); var orgAccess = _context.CompanyAccesses.Select(x => x.AccessCode).ToList(); foreach (var a in orgAccess) { var access = a; if (access == requirement.AccessCode) { context.Succeed(requirement); } } return Task.CompletedTask; } } the startup options.AddPolicy( "PTW" , policy => policy.Requirements.Add( new AccessCodeRequirement( "RO-01" ))); and the page [Authorize(Policy = "PTW" )] The AccessCode for an OrgID in CompanyAccesses table is "RO-01" but I still have Access denied. What I do wrong?

Marius Vasile · Answer

I've created the access codes for the Company but when I write the code I have error Cannot convert bool to string using Microsoft.AspNetCore.Authorization; internal class CompanyAuthorizeAttribute : AuthorizeAttribute { const string POLICY_PREFIX = "CompanyCode" ; public CompanyAuthorizeAttribute( string CompanyAccess) => this .CompanyAccess = CompanyAccess; public string CompanyAccess { get { if (Policy.Substring(POLICY_PREFIX.Length) out var CompanyAccess) { return CompanyAccess; } return default ( string ); } set { Policy = $ "{POLICY_PREFIX}{value.ToString()}" ; } } }

Sachin Singh · Answer

yes sir any logic as per business requirement is right , test with it.

Marius Vasile · Answer

So, if let's say, I have Company1, Company2,....Company100 and folders in my application Folder1, Folder2,....Folder10 ignoring the specific User Roles that are the same for any user, I will have for example tbl_1 IdCompany CompanyName CompanyCode tbl_2 IdAccess AccesCode so AccessCode will be 1,2,3...10 coresponding to folders so when I give access to any Company I will just assign for Company1, AccessCode 2,6,10 and I have to write that for each page of that specific folder [CompanyAuthorize("2,6,10")] is that right?

Marius Vasile · Answer

But users from different companies will have the same roles. data is saved for each company and I will have to have the company being authorize for folder and then its users authorized for each page. I can do the users but how do I authorize companies?

Sachin Singh · Answer

after securing folder when you will use Authorize attribute with code as RoleNames then only companies having that role will be able to access any page inside those folders. Apply Authorize with company code after securing folder and test.

Marius Vasile · Answer

I've seen that article, but if I have for example a company called "Insurance Co." and I give a code "ICO-01" how do I build authorization so that I can easily give or take from an Admin page? If a company decide to use 4 of my applications, I want to be able to assign 4 codes, similar with User Role, to access those folders