Mvc: Consider adding an AuthorizationPolicyTagHelper

Created on 18 Dec 2015 · 9Comments · Source: aspnet/Mvc

It would be nice to have a tag helper to SuppressOutput for elements when an authorization policy is not satisfied.

Consider this markup:

<ul>
      <li asp-policy="foo-policy"><a href="#">You Can Access Foo</a></li>
</ul>

With this tag helper:

[HtmlTargetElement(Attributes = "asp-policy")]
public class AuthorizationPolicyTagHelper : TagHelper
{
    IAuthorizationService _authorizationService;
    IHttpContextAccessor _httpContextAccessor;

    public AuthorizationPolicyTagHelper(IHttpContextAccessor httpContextAccessor, IAuthorizationService authorizationService)
    {
        _httpContextAccessor = httpContextAccessor;
        _authorizationService = authorizationService;
    }

    [HtmlAttributeName("asp-policy")]
    public string Policy { get; set; }

    public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
    {
        if (false == await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User, Policy))
        {
            output.SuppressOutput();
        }
    }
}

Thus the element is hidden if the user is not allowed. This would be quite nice to have this built-in for RC2/RTM.

The code's all yours // _CLA signed_ :)

// @HaoK @blowdart

Source

brockallen

👍3

Most helpful comment

I have created an Authorize tag helper that supports roles, policies and authentication schemes. It works exactly like the Authorize attribute and Authorization filter.

Only authenticated users

    <div asp-authorize class="panel panel-default">
        <div class="panel-heading">Welcome !!</div>
        <div class="panel-body">
            If you're logged in, you can see this section
        </div>
    </div>

Only users who are members of a role

    <div asp-authorize asp-roles="Admin"  class="panel panel-default">
        <div class="panel-heading">Admin Section</div>
        <div class="panel-body">
            Only admin users can see this section. Top secret admin things go here.
        </div>
    </div>

Only users meeting the requirements for a Policy

    <div  asp-authorize asp-policy="Seniors" class="panel panel-default">
        <div class="panel-heading">Seniors Only</div>
        <div class="panel-body">
            Only users age 65 or older can see this section. Early bird dinner coupons go here. The app has a policy named Seniors which requires a claim of type <i>Age</i> with a value greater than or equal to <i>65</i>.
        </div>
    </div>

Policy and role combined

<div asp-authorize asp-roles="Admin" asp-policy="Seniors" class="panel panel-default">
    <div class="panel-heading">Admin Seniors Only</div>
    <div class="panel-body">
        Only users who have both the Admin role AND are age 65 or older can see this section.
    </div>
</div>

Would the team be willing to consider including this in the next release of ASP.NET Core? If so, I would be happy to submit a pull requests once I have added some unit test.

My implementation is here:

https://github.com/dpaquette/TagHelperSamples/blob/master/TagHelperSamples/src/TagHelperSamples.Authorization/AuthorizeTagHelper.cs

and I wrote a blog post detailing the usage here:

https://www.davepaquette.com/archive/2017/11/05/authorize-tag-helper.aspx

dpaquette on 5 Nov 2017

❤3 👍1

All 9 comments

I love this. :heart:

tuespetre on 19 Dec 2015

mikeandersun on 19 Dec 2015

How about 'resource' and 'requirement' scenarios?

tuespetre on 19 Dec 2015

Personally, I'd make 2 diff tag helpers -- one for simple policy, and another for resource-based.

But yea, for the resource-based, having some mechanism for inputs (like asp-route-*) would be interesting.

brockallen on 19 Dec 2015

I like it! :+1:

khalidabuhakmeh on 20 Dec 2015

Well, there you go -- count 'em: 3 +1s -- that's it, they have to do it now. :)

brockallen on 20 Dec 2015

We're largely done taking features for this release, so putting this on the backlog. Cool feature!

Eilon on 29 Dec 2015