protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, MealRequirment requirement)
{
var user = context.User;
if (await _client.HasPermissionAsync(user, "placeorder"))
{
var allowed = false;
// Limiting the amount of food peole can order.
if (requirement.Amount <= 10)
{
allowed = true;
}
else
{
allowed = (await _client.IsInRoleAsync(user, "customer") ||
await _client.IsInRoleAsync(user, "waitress") ||
await _client.IsInRoleAsync(user, "cook"));
}
if (allowed)
{
context.Succeed(requirement);
}
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, MealRequirment requirement)
{
var user = context.User;
if (await _client.HasPermissionAsync(user, "fillorder"))
{
var allowed = false;
// Limiting the amount of food peole can order.
if (requirement.Amount <= 10)
{
allowed = true;
}
// If the item is soda than the waitress or cook makes it.
else if (await _client.IsInRoleAsync(user, "waitress") && requirement.Item.Equals("soda"))
{
allowed = true;
}
else
{
allowed = await _client.IsInRoleAsync(user, "cook");
}
if (allowed)
{
context.Succeed(requirement);
}
}
}
public async Task <IActionResult> CookOnly()
{
// You can also use the IPolicyServerClient for the current authencated user to see if they
// have the role in question. This is the same as doing [Authorize(Roles = "cook")]
var isCook = await _client.IsInRoleAsync(User, "cook");
if (!isCook)
{
return(Forbid());
}
return(View("Success"));
}
public async Task <IActionResult> NursesOnly()
{
// can also use the client library imperatively
var isNurse = await _client.IsInRoleAsync(User, "nurse");
return(View("success"));
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
TeamMembersRequirement requirement)
{
var user = context.User;
// supervisor has access to perform action over all records
if (await _client.IsInRoleAsync(user, "supervisor"))
{
context.Succeed(requirement);
return;
}
// we can also pass the permission as a parameter
if (await _client.HasPermissionAsync(user, "persons.read.team") == false)
{
return;
}
// here we can fetch the team for the logged user consumming a service
// for demo purposes we are fetching the team from user claims
var team = user.Claims.FirstOrDefault(x => x.Type == "teams")?.Value;
if (team == requirement.TeamName)
{
context.Succeed(requirement);
return;
}
}
public async Task <IActionResult> Write(string personId)
{
// check by role
if (await _client.IsInRoleAsync(User, "supervisor"))
{
return(View("success"));
}
// checks if the requested user is the same than the logged user
var currentUserRequirement = new CurrentUserRequirement {
UserId = personId
};
var currentUserAllowed = await _authz.AuthorizeAsync(User, null, currentUserRequirement);
if (currentUserAllowed.Succeeded)
{
return(View("success"));
}
var teamRequirement = new TeamMembersRequirement {
TeamName = "teamOne"
};
var teamAllowed = await _authz.AuthorizeAsync(User, null, teamRequirement);
if (!teamAllowed.Succeeded)
{
return(Forbid());
}
return(View("success"));
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SameLocationRequirement requirement)
{
var user = context.User;
// supervisor has access to perform action over all records
if (await _client.IsInRoleAsync(user, "supervisor"))
{
context.Succeed(requirement);
return;
}
//only managers are allowed
if (await _client.IsInRoleAsync(user, "manager") == false)
{
return;
}
if (user.HasClaim(x => x.Type == "location" && x.Value.Contains(requirement.Location)))
{
context.Succeed(requirement);
return;
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, CurrentUserRequirement requirement)
{
var user = context.User;
// supervisor has access to perform action over all users
if (await _client.IsInRoleAsync(user, "supervisor"))
{
context.Succeed(requirement);
return;
}
var userId = user.Claims.FirstOrDefault(x => x.Type == "sub").Value;
// checks if the user is trying to access to his own data
if (userId == requirement.UserId)
{
context.Succeed(requirement);
return;
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, MedicationRequirement requirement)
{
var user = context.User; var allowed = false;
if (await _client.HasPermissionAsync(user, "PrescribeMedication"))
{
if (requirement.Amount <= 10)
{
allowed = true;
}
else
{
allowed = await _client.IsInRoleAsync(user, "doctor");
}
if (allowed || requirement.MedicationName == "placebo")
{
context.Succeed(requirement);
}
}
}
