C
C#9mo ago
Haeri

Resource based authorization with Identity

Hello, I have the following setup in my asp.net core project: A Workspace model that has a bunch of one to many relationships toDatasets, Transformsetc. My identity user gets a role such as workspace_01_editor which gives him editor rights on the workspace with id 1. This works fine and I have a middleware that automatically checks the access in the WorkspaceController. However, I was unable to find a good strategy for the other Controllers such and DatasetController and TransformController? I had the following ideas: 1. Put everything under the WorkspaceController and require a workspaceId for every request eg: /workspaces/{workspaceId}/dataset/{datasetId}. This way the middleware automatically checks for the workspaceId and does the authorisation. HOWEVER, people could cheat and supply a workspaceId they have access to and a datasetId that they don't have access to and the authorization would still be granted since the authorization is only done on the workspaceId. 2. Still put everything under the WorkspaceController and request workspaceId but then implement a repository pattern on every model which always requires a workspaceId as a getter. Eg GetDatasetByIdAndWorkspaceIdso the query would be for both where dataset.Id = datasetId and dataset.WorkspaceId = workspaceId. However, this feels like a lot of work and would require all models to have a direct relationship to workspace (even the ones that might not have a direct relationship with workspace) 3. As a last resort I was thinking about manually checking in every endpoint of every controller the relationship to the workspace. So basically querying the model, fetching the workspaceId and checking against user role. However, this would require a database request for every endpoint and is error prone since I might forget to do the check. Does anyone know of a better strategy here?
0 Replies
No replies yetBe the first to reply to this messageJoin
Want results from more Discord servers?
Add your server