I know this subject has been covered a lot here, but I still haven't been able to find a post that would help me with what I need to do. I have a webapi in .net core 3.1 that communicates with the frontend in Angular. In this application, we will have several access profiles and with several features (menus) and permissions (read, create, edit).
What I'm trying to do is create an authorization form to mark each method, passing the user profile, functionality and permission. I would also like it to be possible to pass more than one permission, as in the example of listing products below.
I'm using jwt to generate tokens and also claims. I know that it is possible and recommended to use policies, but as there are dozens and maybe hundreds of profiles, I don't want to create a policy for each profile. I would like to leave a generic form so that the administrators can enter the profile management area and assign the appropriate permissions.
[HttpGet]
[CustomAuthorize(User = ETypeUser.Manager | ETypeUser.Vendor,
Menu = EMenu.Product,
Permission = EPermission.List | EPermission.Edit | EPermission.Create)]
public async Task<IList<ReturnClassData<Product>>> ListProducts()
{
// .....
}
[HttpPost]
[CustomAuthorize(User = ETypeUser.Admin,
Menu = EMenu.Product,
Permission = EPermission.Create)]
public async Task<ReturnClass> CreateProduct(Product product)
{
// ...
}
[HttpPost]
[CustomAuthorize(User = ETypeUser.Manager | ETypeUser.Admin,
Menu = EMenu.Product,
Permission = EPermission.Edit)]
public async Task<ReturnClass> EditProduct(Product product)
{
// ...
}
I have a similar example, but using the .NET framework.
Could anyone tell me if it would be possible to do this implementation or if not, what a possible solution?
Obs.: the profiles, features (menus) and permissions I retrieve from the database.
Thanks
