I know in controllers, you can write [Authorize("policyName")] without an issue, but is there any way to use a policy in a view? I'd rather not use User.IsInRole(...) every single time I want to authorize some HTML.
Edit:
Here's some code
Startup.cs -- Policy Declaration
services.AddAuthorization(options =>
{
options.AddPolicy("testPolicy", policy =>
{
policy.RequireAuthenticatedUser()
.RequireRole("RoleOne", "RoleTwo", "RoleThree")
.RequireClaim(ClaimTypes.Email);
});
});
Admin Controller
[Authorize("testPolicy")]
public class AdminController : Controller
{
public IActionResult Index()
{
return View();
}
}
Navbar HTML
<div class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li><a asp-controller="Home" asp-action="Index">Home</a></li>
<!-- I want to implement my policy here. -->
@if (User.IsInRole("..."))
{
<li><a asp-controller="Admin" asp-action="Index">Admin</a></li>
}
</ul>
@await Html.PartialAsync("_LoginPartial")
</div>
</div>
I found this link which may be helpful: https://docs.asp.net/en/latest/security/authorization/views.html
Examples from that page:
@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
In some cases the resource will be your view model, and you can call AuthorizeAsync in exactly the same way as you would check during resource based authorization;
@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new {id= Model.Id})">Edit</a></p>
}
I ended up creating a tag helper to conditionally hide the element it's associated with.
[HtmlTargetElement(Attributes = "policy")]
public class PolicyTagHelper : TagHelper
{
private readonly IAuthorizationService _authService;
private readonly ClaimsPrincipal _principal;
public PolicyTagHelper(IAuthorizationService authService, IHttpContextAccessor httpContextAccessor)
{
_authService = authService;
_principal = httpContextAccessor.HttpContext.User;
}
public string Policy { get; set; }
public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
{
// if (!await _authService.AuthorizeAsync(_principal, Policy)) ASP.NET Core 1.x
if (!(await _authService.AuthorizeAsync(_principal, Policy)).Succeeded)
output.SuppressOutput();
}
}
Usage
<li policy="testPolicy"><a asp-controller="Admin" asp-action="Index">Admin</a></li>
This is one of the big improvements in ASP Core when you can inject the identity to all pages in the startup file:
@if (User.IsInRole("Admin"))
{
<p>
<a asp-action="Create" asp-controller="MyController">Create New</a>
</p>
}
In Startup.cs:
services.AddIdentity<ApplicationUser, IdentityRole>()
EDIT: Ok I misread the post, you already knew this :) - ill leave it anyway if someone can use it.
来源:https://stackoverflow.com/questions/36068655/any-way-to-use-authorization-policies-in-a-view-in-net-core-1-0-mvc