This repository has been archived by the owner. It is now read-only.

Consider adding an AuthorizationPolicyTagHelper #3785

Closed
brockallen opened this Issue Dec 17, 2015 · 9 comments

Comments

Projects
None yet
7 participants
@brockallen
Copy link

brockallen commented Dec 17, 2015

It would be nice to have a tag helper to SuppressOutput for elements when an authorization policy is not satisfied.

Consider this markup:

<ul>
      <li asp-policy="foo-policy"><a href="#">You Can Access Foo</a></li>
</ul>

With this tag helper:

[HtmlTargetElement(Attributes = "asp-policy")]
public class AuthorizationPolicyTagHelper : TagHelper
{
    IAuthorizationService _authorizationService;
    IHttpContextAccessor _httpContextAccessor;

    public AuthorizationPolicyTagHelper(IHttpContextAccessor httpContextAccessor, IAuthorizationService authorizationService)
    {
        _httpContextAccessor = httpContextAccessor;
        _authorizationService = authorizationService;
    }

    [HtmlAttributeName("asp-policy")]
    public string Policy { get; set; }

    public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
    {
        if (false == await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User, Policy))
        {
            output.SuppressOutput();
        }
    }
}

Thus the element is hidden if the user is not allowed. This would be quite nice to have this built-in for RC2/RTM.

The code's all yours // CLA signed :)

// @HaoK @blowdart

@tuespetre

This comment has been minimized.

Copy link
Contributor

tuespetre commented Dec 19, 2015

I love this. ❤️

@mikeandersun

This comment has been minimized.

Copy link

mikeandersun commented Dec 19, 2015

+1

@tuespetre

This comment has been minimized.

Copy link
Contributor

tuespetre commented Dec 19, 2015

How about 'resource' and 'requirement' scenarios?

@brockallen

This comment has been minimized.

Copy link
Author

brockallen commented Dec 19, 2015

Personally, I'd make 2 diff tag helpers -- one for simple policy, and another for resource-based.

But yea, for the resource-based, having some mechanism for inputs (like asp-route-*) would be interesting.

@khalidabuhakmeh

This comment has been minimized.

Copy link

khalidabuhakmeh commented Dec 20, 2015

I like it! 👍

@brockallen

This comment has been minimized.

Copy link
Author

brockallen commented Dec 20, 2015

Well, there you go -- count 'em: 3 +1s -- that's it, they have to do it now. :)

@Eilon Eilon added this to the Backlog milestone Dec 29, 2015

@Eilon

This comment has been minimized.

Copy link
Member

Eilon commented Dec 29, 2015

We're largely done taking features for this release, so putting this on the backlog. Cool feature!

@dpaquette

This comment has been minimized.

Copy link
Contributor

dpaquette commented Nov 5, 2017

I have created an Authorize tag helper that supports roles, policies and authentication schemes. It works exactly like the Authorize attribute and Authorization filter.

Only authenticated users

    <div asp-authorize class="panel panel-default">
        <div class="panel-heading">Welcome !!</div>
        <div class="panel-body">
            If you're logged in, you can see this section
        </div>
    </div>

Only users who are members of a role

    <div asp-authorize asp-roles="Admin"  class="panel panel-default">
        <div class="panel-heading">Admin Section</div>
        <div class="panel-body">
            Only admin users can see this section. Top secret admin things go here.
        </div>
    </div>

Only users meeting the requirements for a Policy

    <div  asp-authorize asp-policy="Seniors" class="panel panel-default">
        <div class="panel-heading">Seniors Only</div>
        <div class="panel-body">
            Only users age 65 or older can see this section. Early bird dinner coupons go here. The app has a policy named Seniors which requires a claim of type <i>Age</i> with a value greater than or equal to <i>65</i>.
        </div>
    </div>

Policy and role combined

<div asp-authorize asp-roles="Admin" asp-policy="Seniors" class="panel panel-default">
    <div class="panel-heading">Admin Seniors Only</div>
    <div class="panel-body">
        Only users who have both the Admin role AND are age 65 or older can see this section.
    </div>
</div>

Would the team be willing to consider including this in the next release of ASP.NET Core? If so, I would be happy to submit a pull requests once I have added some unit test.

My implementation is here:

https://github.com/dpaquette/TagHelperSamples/blob/master/TagHelperSamples/src/TagHelperSamples.Authorization/AuthorizeTagHelper.cs

and I wrote a blog post detailing the usage here:

https://www.davepaquette.com/archive/2017/11/05/authorize-tag-helper.aspx

@mkArtakMSFT

This comment has been minimized.

Copy link
Member

mkArtakMSFT commented Sep 12, 2018

Looks like the tag helper @dpaquette has shared here solves the problem and it's really nice.
Closing this as there is already a good solution available.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.