search

CarterCommunity / Carter

Carter is framework that is a thin layer of extension methods and functionality over ASP.NET Core allowing code to be more explicit and most importantly more enjoyable.
MIT License
2.1k stars 175 forks source link

Add RequiresRoles method #130

Closed bugproof closed 5 years ago

bugproof commented 5 years ago

Basically addition to what already exists: https://github.com/CarterCommunity/Carter/blob/5a67b19232c2b645da1dc9d42aecdaeacf1aef56/src/CarterModuleSecurity.cs#L35

jchannon commented 5 years ago

I think Roles is an older design pattern and Claims/permissions have won that area but I'm open to be persuaded otherwise 😄

bugproof commented 5 years ago

I think Roles is an older design pattern and Claims/permissions have won that area

Can you elaborate more?

jchannon commented 5 years ago

https://stackoverflow.com/questions/22814023/role-based-access-control-rbac-vs-claims-based-access-control-cbac-in-asp-n

On Thu, 18 Oct 2018 at 12:03, Sigvaard notifications@github.com wrote:

I think Roles is an older design pattern and Claims/permissions have won that area

Can you elaborate more?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/CarterCommunity/Carter/issues/130#issuecomment-430967169, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGapm0i_Vjk7Tk2uP5ivQ2XqVUqjt1Cks5umF_pgaJpZM4XtCFO .

bugproof commented 5 years ago

It would be easier for people who would like to port to Carter from MVC if they use [Authorize(Roles="role1,role2")] there.

Also, I don't know if it adds any dependency to Carter but there's policy-based authorization in ASP.NET Core. So if it doesn't add any dependency it would be nice to have RequiresPolicy method too.

And how can you apply authorization requirement per route/action? Is this possible in Carter?

jchannon commented 5 years ago

Personally I feel if they still use Roles they need to update and use Claims. For example Nancy used to do Roles but we moved to Claims.

A user can always write an extension just like RequiresClaims is in their own codebase if needs be or a separate nuget extension package if they want.

I think there is an issue for auth per route still open, think it proved to be tricky if i remember correctly :)

On Fri, 19 Oct 2018 at 08:30, Sigvaard notifications@github.com wrote:

It would be easier for people who would like to port to Carter from MVC if they use [Authorize(Roles="role1,role2")] there.

Also, I don't know if it adds any dependency to Carter but there's policy-based authorization in ASP.NET Core. So if it doesn't add any dependency it would be nice to have RequiresPolicy method too.

And how can you apply authorization requirement per route/action? Is this possible in Carter?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/CarterCommunity/Carter/issues/130#issuecomment-431271505, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGapgUnSWbrPN-DCxI-t3qq8qk3HQcHks5umX-wgaJpZM4XtCFO .

bugproof commented 5 years ago

I see. Those methods are trivial to implement anyway.