Rearranged Readme plus other comments

PermissionAccessControl2/Startup.cs

@@ -117,6 +117,7 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
             app.UseCookiePolicy();
             app.UseAuthentication();
 
+            //This should come AFTER the app.UseAuthentication() call
             if (Configuration["DemoSetup:UpdateCookieOnChange"] == "True")
             {
                 //If UpdateCookieOnChange this adds a header which has the time that the user's claims were updated

PermissionAccessControl2/Views/Cache/Index.cshtml

@@ -18,7 +18,6 @@ else
             <li>@claim.ToString()</li>
         }
     </ul>
-    <p><i>NOTE: UpdateCookieOnChange must be set to true in appsettings.json for dynamic changes in user's permissions to work.</i></p>
     <a class="btn btn-primary" asp-area="" asp-controller="Cache" asp-action="Toggle">Toggle Cache</a>
 }
 

README.md

@@ -6,7 +6,7 @@ This is open-source application (MIT license).
 ## See the articles
 
 * Part 3: [A better way to handle authorization - six months on](https://www.thereformedprogrammer.net/a-better-way-to-handle-asp-net-core-authorization-six-months-on/).
-* Part 4: Handling data authorization - six months on (coming soon).
+* Part 4: [Building a robust and secure data authorization with EF Core](https://www.thereformedprogrammer.net/part-4-building-a-robust-and-secure-data-authorization-with-ef-core/).
 * Part 5: A better way to handle authorization - refreshing users claims (coming soon).
 
 ## How to play with the application
@@ -17,6 +17,7 @@ The default setting (see Configuration section below) will use in-memory databas
 
 1. Different **Permissions**, which controls what they can do, e.g. only a StoreManager can provide a refund.
 2. Different **DataKey**, which controls what part of the shop data they can see, e.g. a SalesAssistant and StoreManager can only see the data in their shop, but a Director can see all shop data in the company.
+3. A **Change Role** menu dropdown which allows you to try the "refreshing users claims" feature described in the Part 5 article.
 
 There is a link on the home page to a list of users that you can log in via (the email address is also the password). There are two different companies, 4U Inc. and Pets2 Ltd., which have a number of shops in different divisions, represented by hierarchical data. Logging in as a user will give you access to some features and data (if linked to data).
 
@@ -26,23 +27,6 @@ The home page gives you more information onf what you can do.
 
 The [appsetting.json file](https://github.com/JonPSmith/PermissionAccessControl2/blob/master/PermissionAccessControl2/appsettings.json) contains settings that configure how the system runs.
 
-### Setting up SuperAdmin user
-
-The appsetting.json file should have a "SuperAdmin" section as shown below. on startup the extension method `CheckAddSuperAdminAsync` checks to see if there is a user with the role "SuperAdmin". If there isn't it tries to add a user with the given email (which will fail if that is already used).
-
-```javascript
-  "SuperAdmin": //This holds the information on the superuser. You must have one SuperUser setup otherwise you can't manage users
-  {
-    "Email": "... email of super admin user ...",
-    "Password": "... password ..."
-  },
-  ```
-
-NOTES:
-
-1. I recommend you override the email/password values when deploying, using something like Azure's override of appsettings.json.
-2. Because the role "SuperAdmin" is so powerful I recommend you only have one user with that role. You use the "SuperAdmin" user to set up the other admin users and use them for your normal admin jobs.
-
 ### Controlling how the demo works
 
 This application is written to work with both in-memory or normal (e.g. SQL Server) databases (version 1 only worked with in-memory, but that made it difficult to convert to normal databases). The "DemoSetup" section is shown below: 
@@ -61,4 +45,21 @@ If you use "Permanent" for the "DatabaseSetup" then you need to provide two conn
     "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=PermissionAccessControl2-AspNetCoreIdentity;Trusted_Connection=True;MultipleActiveResultSets=true",
     "DemoDatabaseConnection": "Server=(localdb)\\mssqllocaldb;Database=PermissionAccessControl2-DemoDatabase;Trusted_Connection=True;MultipleActiveResultSets=true"
   },
-```
+```
+
+### Setting up SuperAdmin user
+
+The appsetting.json file should have a "SuperAdmin" section as shown below. on startup the extension method `CheckAddSuperAdminAsync` checks to see if there is a user with the role "SuperAdmin". If there isn't it tries to add a user with the given email (which will fail if that is already used).
+
+```javascript
+  "SuperAdmin": //This holds the information on the superuser. You must have one SuperUser setup otherwise you can't manage users
+  {
+    "Email": "... email of super admin user ...",
+    "Password": "... password ..."
+  },
+  ```
+
+NOTES:
+
+1. I recommend you override the email/password values when deploying, using something like Azure's override of appsettings.json.
+2. Because the role "SuperAdmin" is so powerful I recommend you only have one user with that role. You use the "SuperAdmin" user to set up the other admin users and use them for your normal admin jobs.

ServiceLayer/CodeCalledInStartup/AuthCookieValidate.cs

@@ -53,7 +53,6 @@ public async Task ValidateAsync(CookieValidatePrincipalContext context)
             if (originalClaims.All(x => x.Type != PermissionConstants.PackedPermissionClaimType) ||
                 _authChanges.IsOutOfDateOrMissing(AuthChangesConsts.FeatureCacheKey, 
                     originalClaims.SingleOrDefault(x => x.Type == PermissionConstants.LastPermissionsUpdatedClaimType)?.Value,
-                    // ReSharper disable once AccessToDisposedClosure
                     extraContext))
             {
                 //Handle the feature permissions