/// <summary> /// Ensures that the user is authorized to read a single element and filters out any unauthorized content within the element. /// </summary> /// <typeparam name="T">The type of the content to be searched.</typeparam> /// <param name="content">The content being searched.</param> /// <param name="readAuthorizeObject">Executes read authorization methods against this type of object.</param> /// <param name="context">The Microsoft.AspNetCore.Mvc.Filters.ActionExecutedContext.</param> public static void Filter <T>(T content, IReadAuthorize <T> readAuthorizeObject, ActionExecutedContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } if (readAuthorizeObject == null) { throw new ArgumentNullException(nameof(readAuthorizeObject)); } if (!readAuthorizeObject.CanRead(content)) { context.Result = new UnauthorizedResult(); return; } readAuthorizeObject.FilterUnauthorizedContent(content); }
/// <summary> /// Filters out any unauthorized content within the collection of elements. /// </summary> /// <typeparam name="T">The type of content to be searched.</typeparam> /// <param name="objects">The content collection being searched.</param> /// <param name="readAuthorizeObject">Executes read authorization methods against this type of object.</param> /// <param name="contextResult">The context result object that contains the content collection value to be filtered.</param> public static void FilterMany <T>(IEnumerable <T> objects, IReadAuthorize <T> readAuthorizeObject, ObjectResult contextResult) { if (contextResult == null) { throw new ArgumentNullException(nameof(contextResult)); } if (readAuthorizeObject == null) { throw new ArgumentNullException(nameof(readAuthorizeObject)); } var filteredObjects = objects.Where(readAuthorizeObject.CanRead).ToList(); foreach (var @object in filteredObjects) { readAuthorizeObject.FilterUnauthorizedContent(@object); } contextResult.Value = filteredObjects; }
/// <summary> /// Initializes a new instance of the <see cref="ReadAuthorizeEvent"/> class. /// </summary> /// <param name="userAccessor">An instance of IUserAccessor to identify user access.</param> /// <param name="readAuthorizeMember">An instance of IReadAuthorize to perform deeper authorization against members being viewed within this event.</param> public ReadAuthorizeEvent(IUserAccessor userAccessor, IReadAuthorize <TMember> readAuthorizeMember) { UserAccessor = userAccessor; ReadAuthorizeMember = readAuthorizeMember; }