Closed NRichet closed 5 months ago
Hey @NRichet!
You can create a policy and enforce your logic there.
I think you described the example policy I created of SelfOrAdmin
which allows access to a resource to the owner of the resource or a user with the Admin
role.
Thank you for the feedback @amantinband
I perceive SelfOrAdmin as follows: the user making the request can only use a different userId if they have the administrator status, regardless of the ownership of the resource. This means that if user A creates a resource (A) that belongs to him, user B can delete it as long as he makes the request as user B or as an administrator. However, I intended for only user A to be able to delete its own resource.
Nope, "Self" is "do action on my own resources". So user B can only make changes to user B's resources. Take a look at the PolicyEnforcer
for the underlying implementation. You can also play with the following unit test that validates exactly this:
https://github.com/amantinband/clean-architecture/blob/d4ef4c9a8462d9c5487bc867451b32061afb1c12/tests/CleanArchitecture.Application.SubcutaneousTests/Subscriptions/Commands/CancelSubscription/CancelSubscription.AuthorizationTests.cs#L73C5-L73C5
Thank you for the feedback @amantinband
I perceive SelfOrAdmin as follows: the user making the request can only use a different userId if they have the administrator status, regardless of the ownership of the resource. This means that if user A creates a resource (A) that belongs to him, user B can delete it as long as he makes the request as user B or as an administrator. However, I intended for only user A to be able to delete its own resource.
Maybe im not far enough into the course to have the answer to it for myself but: Doesnt this mix and match Application and Business Rules with Policies if i do so very specific checks in the Presentation Layer?
Closing this issue. Feel free to reopen if you have further questions
Hello amantinband,
Great initiative, thank you very much for your contribution. I see that you have implemented role-based authorization, permissions, and policies. However, how would you go about implementing resource-based authorization in your architecture? For instance, if you need to secure a resource exclusively for its creator or accessible only to an admin.
Thank you