search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.59k stars 10.06k forks source link

Varied Messages for Unauthorized in AuthorizeRouteView for a specific authorization policy/role #44162

Open MilesFan opened 2 years ago

MilesFan commented 2 years ago

Is there an existing issue for this?

Is your feature request related to a problem? Please describe the problem.

In a blazor server application, I can obviously customized a default unauthorized message globally in App.razor as follows:

//App.razor
...
<AuthorizeRouteView RouteData="@routeData" Resource="@routeData"DefaultLayout="@typeof(MainLayout)">
    <NotAuthorized >
        You are not authorized. Please talk to John Doe the Administrator about this if needed.
        John Doe knows all and makes all the decisions.
    </NotAuthorized>
</AuthorizeRouteView>
...

This is nice in a simple application, as it gives a hint what users should do when they are not authorized to do what is supposed to be done.

However, in a large or complex organization where business along with relevant permissions are managed seperately, John Doe the administrator may not be able to answer all the user queries or make a decision on the permissions.

As far as I know, to achieve the goal of letting a rejected user to know what to do exactly, I have to handle unauthorized requests in each razor page repeatedly.

Describe the solution you'd like

I propose extending AuthorizeRouteView to be capable to handling differrent reasons for authorization failure:

//App.razor
...
<AuthorizeRouteView RouteData="@routeData" Resource="@routeData"DefaultLayout="@typeof(MainLayout)">
    <NotAuthorized ForPolicy="CanEditFinanicalReport">
        You are not authorized. Please talk to Joshua the Financial Manager about this if needed.
    </NotAuthorized>
    <NotAuthorized ForRole="AirConController">
        You are not authorized. Please talk to Rick the Facility Manager about this if needed.
    </NotAuthorized>
    ...
    <NotAuthorized Default>
        You are not authorized. Please talk to John Doe the Administrator about whom you should turn to.
        Tell John Doe what is stopping you and he will point you to someone.
    </NotAuthorized>
</AuthorizeRouteView>
...

Additional context

No response

ghost commented 2 years ago

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.