ASP, Identity, Blazor Give Permission for delete to specific users.
In my Database i have a entity that acts like a group for multible users. There is a m:n relation between groups and users(IdentityUser)
I want that only users in those groups are able to create/update/delete group related data. Like events in a scheduler or messages in the group-chat.
But i can't think of a neat way to prevent other users from adding/deleting things to a group they are not part of. Right now i always get the userId in the controller and then a linq statement checks if there is a user with this Id in the group he wants to access.
This feels a bit wrong because i have to make sure that nobody else gets hold of a foreign userId and it's in a different location than the default role based authorization i use.
48 Replies
I have a problem, yesterday I was given the first test task regarding asp.net web api maybe entity framework, I had experience with entity framework before but with api for the first time. And now I'm very confused, and I don't know what to do next. I have three models, but now I don't understand how to make a connection between them. Could try to pay maybe for good help (
Configure One-to-One relationship in Code First Entity Framework
Learn how to configure one-to-one relationship in Entity Framework 6 code-first approach.
here are some instructions in creating different relations between models
u just add a property with the type of the foreign entity and when u create a migration (code-first) then the EF-Tools notices the type and creates a relation automatically
u could create a new post for that though
Oh yes, I read it, but when I started to write it, I got confused
Π‘an i show a screenshot of the models? π
sure
u can also use 3 of those `
then your text is recognized as code and uses proper format
Oh thx, so i have 3 models.
relation look like incidents -> accounts -> contacts
when create incident must have account and account must have contact
Models look like this
And actually its look correctly in api
but i know it's not π
looks alright to me
Hmm, then I will ask a little differently
what doesn't work?
Models look like this
When i try [GET] all incidents how can i show account in Response body
Here
how does your query look?
Now i have basic query
have u included the account when accessing the incindent?
I try another i have error
yes this is the issue
try .Include(i => i.Account)
Yep, i try show by id
In db its save like this. only id
All table save correctly with all infomation
_context.Incident.Include(i => i.Account).ToListAsync();
this is as it should be
O_o
?
i feel confused, it's worked π
the include thing?
now u have to include the contact to the account
_context.Incident.Include(i => i.Account).ThenInclude(a => a.Contact).ToListAsync();
u always have to use Include if u want to get data from a related table. EF will look for a entry that fits to the id u saved in the first table.
I thought why it doesn't work forgot ThenInclude
Thank you very, very much !β₯οΈ
But can i one more Question ?
sure
There is such a point in the test task, but I didn't quite understand it , from the point of view of logic
database structure
incidents -> accounts -> contacts
incident -> account, 1=>M,
account -> contact , 1=> M.
Incident, incident name - primary key, autogenerated, string
Account, Name - > unique string field
Functionality
create web api, asp core, ef code first (edited)
Introduce the API to create the following records: contacts, accounts, incidents (edited)
account cannot be created without contact
incident cannot be created without account
logic for incident creation method
Validation
if account name is not in the system -> API must return 404 β NotFound
if contact is in the system (check by email) -> update contact record, link contact to account if it has not been linked prevoisly.
Otherwise,
create new contact with first name, last name, email and
link just created contact to the account
create new incident, for account and populate incident description field
I understand correctly its [POST] Request ?
create = post
Yep i know, i mean my post need look like this
forget it
i stupid π
I read it correctly again
Personally i would create a new data-transfer-object in a case like that
that object has all the properies the example shows
In your post method u can create a new incident then and write all properties form the dto to the new incident and add it to DB
if i understand it as wrong as u do π
Hmmm
if the above should be the json content
You mean to create a new model in which the required fields will be required, and when the post method is used, create incidents with fields from first model?
Models only with this fields
yes and a post method that takes this object and than creates a new Incident. Then u write all properties from that dto to the new incident
Thank you very much β₯β₯β₯β₯
If there are still problems, I will ask β₯
π
No problem
Unknown Userβ’3y ago
Message Not Public
Sign In & Join Server To View
I could solve my problem somehow. I refactored my code a bit and now i have a cleaner solution im satisified with. Im still interested in better solutions though.
this was the original question btw.
The 2nd question got here by mistake but it looked like a question i could answer so i tried to solve it in this post
I stole this thread π
sr
np