search

amantinband / clean-architecture

The ultimate clean architecture template for .NET applications 💪
MIT License
1.4k stars 221 forks source link

Resource-based authorizarion #13

Closed NRichet closed 5 months ago

NRichet commented 6 months ago

Hello amantinband,

Great initiative, thank you very much for your contribution. I see that you have implemented role-based authorization, permissions, and policies. However, how would you go about implementing resource-based authorization in your architecture? For instance, if you need to secure a resource exclusively for its creator or accessible only to an admin.

Thank you

amantinband commented 6 months ago

Hey @NRichet!

You can create a policy and enforce your logic there.

I think you described the example policy I created of SelfOrAdmin which allows access to a resource to the owner of the resource or a user with the Admin role.

NRichet commented 6 months ago

Thank you for the feedback @amantinband

I perceive SelfOrAdmin as follows: the user making the request can only use a different userId if they have the administrator status, regardless of the ownership of the resource. This means that if user A creates a resource (A) that belongs to him, user B can delete it as long as he makes the request as user B or as an administrator. However, I intended for only user A to be able to delete its own resource.

amantinband commented 6 months ago

Nope, "Self" is "do action on my own resources". So user B can only make changes to user B's resources. Take a look at the PolicyEnforcer for the underlying implementation. You can also play with the following unit test that validates exactly this: https://github.com/amantinband/clean-architecture/blob/d4ef4c9a8462d9c5487bc867451b32061afb1c12/tests/CleanArchitecture.Application.SubcutaneousTests/Subscriptions/Commands/CancelSubscription/CancelSubscription.AuthorizationTests.cs#L73C5-L73C5

rstich commented 6 months ago

Thank you for the feedback @amantinband

I perceive SelfOrAdmin as follows: the user making the request can only use a different userId if they have the administrator status, regardless of the ownership of the resource. This means that if user A creates a resource (A) that belongs to him, user B can delete it as long as he makes the request as user B or as an administrator. However, I intended for only user A to be able to delete its own resource.

Maybe im not far enough into the course to have the answer to it for myself but: Doesnt this mix and match Application and Business Rules with Policies if i do so very specific checks in the Presentation Layer?

amantinband commented 5 months ago

Closing this issue. Feel free to reopen if you have further questions