protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AssignRolesAuthorizationRequirement requirement, Tuple <string[], string[]> newAndCurrentRoles) { if (!GetIsRolesChanged(newAndCurrentRoles.Item1, newAndCurrentRoles.Item2)) { context.Succeed(requirement); } else if (context.User.HasClaim(CustomClaimTypes.Permission, ApplicationPermissions.AssignRoles)) { if (context.User.HasClaim(CustomClaimTypes.Permission, ApplicationPermissions.ViewRoles) ) // If user has ViewRoles permission, then he can assign any roles { context.Succeed(requirement); } else if (GetIsUserInAllAddedRoles(context.User, newAndCurrentRoles.Item1, newAndCurrentRoles.Item2) ) // Else user can only assign roles they're part of { context.Succeed(requirement); } } return(Task.CompletedTask); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AssignRolesAuthorizationRequirement requirement, Tuple <string[], string[]> newAndCurrentRoles) { if (!RolesHasChanges(newAndCurrentRoles.Item1, newAndCurrentRoles.Item2)) { context.Succeed(requirement); } else if (context.User.HasClaim(ApplicationClaimType.Authorization, AuthorizationManager.AssignRoles)) { // If user has ViewRoles authorization, then it can assign any roles if (context.User.HasClaim(ApplicationClaimType.Authorization, AuthorizationManager.ViewRoles)) { context.Succeed(requirement); } // Else user can only assign roles they're part of else if (IsUserInAllAddedRoles(context.User, newAndCurrentRoles.Item1, newAndCurrentRoles.Item2)) { context.Succeed(requirement); } } return(Task.CompletedTask); }