Open ItielBeeri opened 3 years ago
@ItielBeeri I've been looking at this as we where after the same feature.
I've got together some working (or at least seems to be) code, if you want to take a look https://github.com/Polystream/WebApiAuthorization/commit/8317da557b3cc098409bc4d82d708d7fd8d98481
The problem I ran into was that the SelectExpandClause
wasn't available in the middleware prior to the query actually being executed, I've work around this but it feels a little hacky at the moment
https://github.com/Polystream/WebApiAuthorization/blob/8317da557b3cc098409bc4d82d708d7fd8d98481/src/Microsoft.AspNetCore.OData.Authorization/ODataAuthorizationMiddleware.cs#L56-L60
Any updates on this? Is there a permanent solution to this?
First, this is a very helpful library that is going to simplify our security implementation in the growing oData stack we maintain. Thank you!
I examined in the docs the support for authorization on navigation properties, and noticed that this works as long as these navigations are accessed through nested paths. Is there a way to force the restrictions when entities are accessed through the
$expand
operator? For example, for the URL/customers?$expand=orders
I would like the user to be permitted only if they have bothCustomers.Read
ANDOrders.Read
scopes. How can this be achieved?