IEntityIdAuthorizer

Namespace: ASPSecurityKit.Authorization
Assembly: ASPSecurityKit.dll

Summary

Provides an interface to perform data authorization on operation parameters, request DTOs etc. in conjunction with IReferencesProvider<TIdMemberReference>.

Remarks

At a high level, data authorization is performed as follows:

  • Traverse through the given object/parameters (including their nested properties in case of complex type) and capture the special parameters/properties (having a non-nul value or at least one element in case of collections) that are deemed as identifiers (entityIds).

  • Obtain related references using IReferencesProvider<TIdMemberReference> for each such captured entityId if a loader is available for it; otherwise, just use that entityId value. Related references are usually ancestors, or higher level entityIds in terms of entity relationship hierarchy, which can be used to authorize operations on child or lower level entityIds.

  • Authorize each such entityId using its related references collection via IsAuthorized. Only one permitted reference is enough to authorize an entityId for the current operation.

  • If any of the entityIds couldn’t be authorized, Failed will be returned with Unauthorized, DoNotOwnEntityIds and AuthError collection having unauthorized entityId(s) information.

  • Finally, perform The entity suspension check using IsSuspended and report the failure if any. For detailed information, visit https://ASPSecurityKit.net/docs/article/how-to-perform-activity-based-data-aware-authorization/

Methods

Authorize(permissionCode,method,arguments,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck)

Summary

Performs data authorization on the operation’s parameters. See IEntityIdAuthorizer remarks to learn about the flow.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
method System.Reflection.MethodInfo The method.
arguments System.Collections.Generic.IDictionary{System.String,System.Object} The operation’s arguments.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false (the default) and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false (the default) and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
Exceptions
Type Description
System.ArgumentNullException When method or arguments is null, or permissionCode is null/empty/whitespace.

Authorize(permissionCode,dto,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck)

Summary

Performs data authorization on the given request DTO. See IEntityIdAuthorizer remarks to learn about the flow.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
dto System.Object The request DTO object.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false (the default) and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false (the default) and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
Exceptions
Type Description
System.ArgumentNullException When dto is null or permissionCode is null/empty/whitespace.

IsAuthorized(permissionCode,idContainers)

Summary

Performs data authorization on the entityIds mentioned as properties in the given container objects. See IsAuthorized overload for more details.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
idContainers System.Object[] One or more container objects (usually anonymous types) each of which just contains entityId properties to authorize. Only properties having a non-nul value (or at least one element in case of collections) will be considered.
Exceptions
Type Description
System.ArgumentNullException When permissionCode is null/empty/whitespace.
System.ArgumentException When idContainers is null/empty.
Remarks

This method invokes its other overload IsAuthorized passing both the bool arguments as false.

IsAuthorized(permissionCode,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck,idContainers)

Summary

Performs data authorization on the entityIds mentioned as properties in the given container objects. Though all properties are assumed to be entityId properties, yet only properties having a non-nul value (or at least one element in case of collections) will be considered. If you’re looking to select specific properties as entityIds, use Authorize method instead.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
idContainers System.Object[] One or more container objects (usually anonymous types) each of which just contains entityId properties to authorize. Only properties having a non-nul value (or at least one element in case of collections) will be considered.
Exceptions
Type Description
System.ArgumentNullException When permissionCode is null/empty/whitespace.
System.ArgumentException When idContainers is null/empty.
Remarks

Use this method from authDefinitions, for example, to authorize entityIds using the flow mentioned on IEntityIdAuthorizer. For instance you can call IsAuthorized(permissionCode, false, false, new { UserId = someObj.Id, someObj.ClientId },..). Only properties having a non-nul value (or at least one element in case of collections) will be considered. See IEntityIdAuthorizer remarks for more information.

IsAuthorized(permissionCode,idMembers)

Summary

Authorizes the given permission and entityIds against the loaded permit set (using IsAuthorized). To authorize an entityId, its References collection will be used. Only one permitted reference is enough to authorize an entityId.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure (likely Unauthorized).

Parameters
Name Type Description
permissionCode System.String The permission code.
idMembers System.Collections.Generic.HashSet{ASPSecurityKit.Authorization.IIdMemberReference} The entityIds collection.
Exceptions
Type Description
System.ArgumentNullException When idMembers is null or permissionCode is null/empty/whitespace.
Remarks

The default implementation may return one of the following error messages for failure: DoNotOwnEntityIds, DidNotProvideRequiredEntityId, DoNotPossessPermission or Unauthorized depending on the failure reason. Once entityIds are authorized, The entity suspension check is invoked on them using IsSuspended.

IsSuspended(permissionCode,idMembers)

Summary

Performs the entity suspension check based on the given entityIds. See remarks for more details.

Returns

AuthResult instance with Code as Success if the given entityIds and their related references have no suspension being enforced; otherwise, Suspended) with FailureDescription as EntitiesSuspended and Errors containing list of details about suspended entityIds.

Parameters
Name Type Description
permissionCode System.String The permission code.
idMembers System.Collections.Generic.HashSet{ASPSecurityKit.Authorization.IIdMemberReference} The entityIds collection.
Exceptions
Type Description
System.ArgumentNullException When idMembers is null or permissionCode is null/empty/whitespace.
Remarks

The default implementation works as follows: First, a call to GetSuspendedIds is made to get a list of ISuspendedId. Second, for each suspendedId received, a call is made to IsAllowed to determine if suspended id is permitted for the requested operation based on exclusion rules. Last, if there’s any suspended id left, the same is reported as per mentioned in return docs. For detailed information, visit https://ASPSecurityKit.net/docs/article/suspension/#entity-suspension

AuthorizeAsync(permissionCode,method,arguments,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck)

Summary

Performs data authorization on the operation’s parameters. See IEntityIdAuthorizer remarks to learn about the flow.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
method System.Reflection.MethodInfo The method.
arguments System.Collections.Generic.IDictionary{System.String,System.Object} The operation’s arguments.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false (the default) and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false (the default) and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
Exceptions
Type Description
System.ArgumentNullException When method or arguments is null, or permissionCode is null/empty/whitespace.

AuthorizeAsync(permissionCode,method,arguments,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck,cancellationToken)

Summary

Performs data authorization on the operation’s parameters. See IEntityIdAuthorizer remarks to learn about the flow.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
method System.Reflection.MethodInfo The method.
arguments System.Collections.Generic.IDictionary{System.String,System.Object} The operation’s arguments.
doNotPerformGeneralPermitCheck System.Threading.CancellationToken Indicates whether or not general permit based authorization is performed. If set to false (the default) and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false (the default) and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
cancellationToken System.Boolean The cancellation token.
Exceptions
Type Description
System.ArgumentNullException When method or arguments is null, or permissionCode is null/empty/whitespace.

AuthorizeAsync(permissionCode,dto,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck)

Summary

Performs data authorization on the given request DTO. See IEntityIdAuthorizer remarks to learn about the flow.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
dto System.Object The request DTO object.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false (the default) and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false (the default) and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
Exceptions
Type Description
System.ArgumentNullException When dto is null or permissionCode is null/empty/whitespace.

AuthorizeAsync(permissionCode,dto,cancellationToken,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck)

Summary

Performs data authorization on the given request DTO. See IEntityIdAuthorizer remarks to learn about the flow.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
dto System.Object The request DTO object.
cancellationToken System.Threading.CancellationToken The cancellation token.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false (the default) and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false (the default) and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
Exceptions
Type Description
System.ArgumentNullException When dto is null or permissionCode is null/empty/whitespace.

IsAuthorizedAsync(permissionCode,idContainers)

Summary

Performs data authorization on the entityIds mentioned as properties in the given container objects. See IsAuthorized overload for more details.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
idContainers System.Object[] One or more container objects (usually anonymous types) each of which just contains entityId properties to authorize. Only properties having a non-nul value (or at least one element in case of collections) will be considered.
Exceptions
Type Description
System.ArgumentNullException When permissionCode is null/empty/whitespace.
System.ArgumentException When idContainers is null/empty.
Remarks

This method invokes its other overload IsAuthorized passing both the bool arguments as false.

IsAuthorizedAsync(permissionCode,cancellationToken,idContainers)

Summary

Performs data authorization on the entityIds mentioned as properties in the given container objects. See IsAuthorized overload for more details.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
cancellationToken System.Threading.CancellationToken The cancellation token.
idContainers System.Object[] One or more container objects (usually anonymous types) each of which just contains entityId properties to authorize. Only properties having a non-nul value (or at least one element in case of collections) will be considered.
Exceptions
Type Description
System.ArgumentNullException When permissionCode is null/empty/whitespace.
System.ArgumentException When idContainers is null/empty.
Remarks

This method invokes its other overload IsAuthorized passing both the bool arguments as false.

IsAuthorizedAsync(permissionCode,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck,idContainers)

Summary

Performs data authorization on the entityIds mentioned as properties in the given container objects. Though all properties are assumed to be entityId properties, yet only properties having a non-nul value (or at least one element in case of collections) will be considered. If you’re looking to select specific properties as entityIds, use Authorize method instead.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
idContainers System.Object[] One or more container objects (usually anonymous types) each of which just contains entityId properties to authorize. Only properties having a non-nul value (or at least one element in case of collections) will be considered.
Exceptions
Type Description
System.ArgumentNullException When permissionCode is null/empty/whitespace.
System.ArgumentException When idContainers is null/empty.
Remarks

Use this method from authDefinitions, for example, to authorize entityIds using the flow mentioned on IEntityIdAuthorizer. For instance you can call IsAuthorized(permissionCode, false, false, new { UserId = someObj.Id, someObj.ClientId },..). Only properties having a non-nul value (or at least one element in case of collections) will be considered. See IEntityIdAuthorizer remarks for more information.

IsAuthorizedAsync(permissionCode,doNotPerformGeneralPermitCheck,doNotPerformPossessesPermissionCheck,cancellationToken,idContainers)

Summary

Performs data authorization on the entityIds mentioned as properties in the given container objects. Though all properties are assumed to be entityId properties, yet only properties having a non-nul value (or at least one element in case of collections) will be considered. If you’re looking to select specific properties as entityIds, use Authorize method instead.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure.

Parameters
Name Type Description
permissionCode System.String The permission code.
doNotPerformGeneralPermitCheck System.Boolean Indicates whether or not general permit based authorization is performed. If set to false and the current identity has a general permit with the given permissionCode, no data authorization will be performed as the current identity is deemed authorized on all records for the associated permission already.
doNotPerformPossessesPermissionCheck System.Boolean Indicates whether or not possesses permission check is performed. If set to false and the current identity does not have any permit with the given permissionCode, no data authorization will be performed as the current identity is deemed unauthorized on all records for the associated permission.
cancellationToken System.Threading.CancellationToken The cancellation token.
idContainers System.Object[] One or more container objects (usually anonymous types) each of which just contains entityId properties to authorize. Only properties having a non-nul value (or at least one element in case of collections) will be considered.
Exceptions
Type Description
System.ArgumentNullException When permissionCode is null/empty/whitespace.
System.ArgumentException When idContainers is null/empty.
Remarks

Use this method from authDefinitions, for example, to authorize entityIds using the flow mentioned on IEntityIdAuthorizer. For instance you can call IsAuthorized(permissionCode, false, false, new { UserId = someObj.Id, someObj.ClientId },..). Only properties having a non-nul value (or at least one element in case of collections) will be considered. See IEntityIdAuthorizer remarks for more information.

IsAuthorizedAsync(permissionCode,idMembers)

Summary

Authorizes the given permission and entityIds against the loaded permit set (using IsAuthorized). To authorize an entityId, its References collection will be used. Only one permitted reference is enough to authorize an entityId.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure (likely Unauthorized).

Parameters
Name Type Description
permissionCode System.String The permission code.
idMembers System.Collections.Generic.HashSet{ASPSecurityKit.Authorization.IIdMemberReference} The entityIds collection.
Exceptions
Type Description
System.ArgumentNullException When idMembers is null or permissionCode is null/empty/whitespace.
Remarks

The default implementation may return one of the following error messages for failure: DoNotOwnEntityIds, DidNotProvideRequiredEntityId, DoNotPossessPermission or Unauthorized depending on the failure reason. Once entityIds are authorized, The entity suspension check is invoked on them using IsSuspended.

IsAuthorizedAsync(permissionCode,idMembers,cancellationToken)

Summary

Authorizes the given permission and entityIds against the loaded permit set (using IsAuthorized). To authorize an entityId, its References collection will be used. Only one permitted reference is enough to authorize an entityId.

Returns

AuthResult instance with Code as Success if the current identity has the necessary permit; otherwise, a possible reason of failure (likely Unauthorized).

Parameters
Name Type Description
permissionCode System.String The permission code.
idMembers System.Collections.Generic.HashSet{ASPSecurityKit.Authorization.IIdMemberReference} The entityIds collection.
cancellationToken System.Threading.CancellationToken The cancellation token.
Exceptions
Type Description
System.ArgumentNullException When idMembers is null or permissionCode is null/empty/whitespace.
Remarks

The default implementation may return one of the following error messages for failure: DoNotOwnEntityIds, DidNotProvideRequiredEntityId, DoNotPossessPermission or Unauthorized depending on the failure reason. Once entityIds are authorized, The entity suspension check is invoked on them using IsSuspended.

IsSuspendedAsync(permissionCode,idMembers)

Summary

Performs the entity suspension check based on the given entityIds. See remarks for more details.

Returns

AuthResult instance with Code as Success if the given entityIds and their related references have no suspension being enforced; otherwise, Suspended) with FailureDescription as EntitiesSuspended and Errors containing list of details about suspended entityIds.

Parameters
Name Type Description
permissionCode System.String The permission code.
idMembers System.Collections.Generic.HashSet{ASPSecurityKit.Authorization.IIdMemberReference} The entityIds collection.
Exceptions
Type Description
System.ArgumentNullException When idMembers is null or permissionCode is null/empty/whitespace.
Remarks

The default implementation works as follows: First, a call to GetSuspendedIds is made to get a list of ISuspendedId. Second, for each suspendedId received, a call is made to IsAllowed to determine if suspended id is permitted for the requested operation based on exclusion rules. Last, if there’s any suspended id left, the same is reported as per mentioned in return docs. For detailed information, visit https://ASPSecurityKit.net/docs/article/suspension/#entity-suspension

IsSuspendedAsync(permissionCode,idMembers,cancellationToken)

Summary

Performs the entity suspension check based on the given entityIds. See remarks for more details.

Returns

AuthResult instance with Code as Success if the given entityIds and their related references have no suspension being enforced; otherwise, Suspended) with FailureDescription as EntitiesSuspended and Errors containing list of details about suspended entityIds.

Parameters
Name Type Description
permissionCode System.String The permission code.
idMembers System.Collections.Generic.HashSet{ASPSecurityKit.Authorization.IIdMemberReference} The entityIds collection.
cancellationToken System.Threading.CancellationToken The cancellation token.
Exceptions
Type Description
System.ArgumentNullException When idMembers is null or permissionCode is null/empty/whitespace.
Remarks

The default implementation works as follows: First, a call to GetSuspendedIds is made to get a list of ISuspendedId. Second, for each suspendedId received, a call is made to IsAllowed to determine if suspended id is permitted for the requested operation based on exclusion rules. Last, if there’s any suspended id left, the same is reported as per mentioned in return docs. For detailed information, visit https://ASPSecurityKit.net/docs/article/suspension/#entity-suspension