Authorization of $expand

[ItielBeeri]

First, this is a very helpful library that is going to simplify our security implementation in the growing oData stack we maintain. Thank you!

I examined in the docs the support for authorization on navigation properties, and noticed that this works as long as these navigations are accessed through nested paths. Is there a way to force the restrictions when entities are accessed through the $expand operator? For example, for the URL /customers?$expand=orders I would like the user to be permitted only if they have both Customers.Read AND Orders.Read scopes. How can this be achieved?

[mikenorgate]

@ItielBeeri I've been looking at this as we where after the same feature.

I've got together some working (or at least seems to be) code, if you want to take a look https://github.com/Polystream/WebApiAuthorization/commit/8317da557b3cc098409bc4d82d708d7fd8d98481

The problem I ran into was that the SelectExpandClause wasn't available in the middleware prior to the query actually being executed, I've work around this but it feels a little hacky at the moment https://github.com/Polystream/WebApiAuthorization/blob/8317da557b3cc098409bc4d82d708d7fd8d98481/src/Microsoft.AspNetCore.OData.Authorization/ODataAuthorizationMiddleware.cs#L56-L60

[anton-kirschhock]

Any updates on this? Is there a permanent solution to this?