❔ Ownership-based permission system...?
So, in my ASP.NET 7 app I have a system of user clubs. Each club can have a founder and members, and each member can also be a mod for that community. The roles of a founder and moderator are represented as an enum on the join table.
Now, I want to restrict some stuff to given roles. Like, only the founder can edit the settings of the club, and only the moderators or founders can kick or ban users. And you need to be a member to post there, etc.
Currently, I just add one more
.Where() to each query that checks for the given role, but maybe there's some better solution? Some middleware or something that'd let me just slap [Authorize(PolicyNames.ClubFounder)] onto a controller and be done with it?6 Replies
Sure, for the users of my app it might make sense
But they're the users of my app first, and then members of their respective clubs within that app
So the clubs are kinda-sorta multi-tenant thingamajig...?
RBAC (role based access control) lets you specify
[Authorize(Roles = "Admin")] in the controller https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-5.0&preserve-view=true#adding-role-checksRole-based authorization in ASP.NET Core
Learn how to restrict ASP.NET Core controller and action access by passing roles to the Authorize attribute.
Yeah, for the built-in Identity roles
Where each user has a role within my app
Thing is, users can have roles within my app, and within their clubs
So the user can be a
Moderator of a "Fizzy Pickle Juice Fanclub", but that doesn't mean they're the moderator of "Spoiled Milk Sucks", let alone the moderator of my siteAh, hmm.
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.