Add Role-based authorization

[affand]

Need to add Role-based authorization to restrict resources based on user role. For example, only administrator can manage Site:

[Route("Site")]
[Authorize(Roles = "Administrator")]
public class SiteController : BaseController<NewSiteDto, EditSiteDto, SiteDto, Model.Site, ISiteService>
{

[frandi]

It's new feature. We might or might not implement it in the future, because we're also considering to implement claim-based auth here.

@affand Could you give me a good argumentation on why role-based auth is better?

[affand]

Hi @frandi,

I think authentication & authorization is basic security feature that every app should have. Currently I found no authorization in the app. So I suggest to implement Role-based authorization simply because it's easy to setup and use. Of cource in the future it might change based on client needs.

[frandi]

Agree, but please help me to decide whether it's better to go with role-based or claim-based. Thanks!

[affand]

Hi @frandi,

A role is like category that groups users who share the same levels of security privileges. Whereas a Claim is a right of the user to identify themselves. Each user can have unique claim, for example we can add user Id to claim so that we can authorize user with more spesific criteria by using claim.

Claims also useful in a RESTful scenario where you can assign a claim to a client, and client can then present the claim for authorization.

In conclution, for better authorization strategy i would recommend using claim based authorization.

[frandi]

Alright, we'll prioritize claim-based auth then. We'll see if we need the additional role-based auth later. Thanks.