Of Stack

asp. net core uses AccessControlHelper to control access rights

  • 2021-11-10 09:23:17
  • OfStack

Intro#

Due to the needs of the project, Permission control needs to be done in Web project framework based on asp. net mvc. That's why you have this permission control component. At first, it only supported netframework. Later, after the release of dotnetcore 2.0, it added support for asp. net core. After the release of dotnetcore 3.0, it also added support for asp. net core 3.0 (version 1.9. 0 and later). At present, it supports more asp. net core. asp. net core can use TagHelper to control permission access to elements on pages, and can also use Policy to control permission access. At the same time, it also supports access to static resources through middleware.

Install AccessControlHelper nuget package #

Install nuget package WeihanLi. AspNetMvc. AccessControlHelper 


dotnet add package WeihanLi.AspNetMvc.AccessControlHelper

Implement your own access policy #

Resource Access Policy/API Access Policy #

The following code defines a simple access policy, which requires login and has Admin role, and can be adjusted and optimized according to your own needs 


public class AdminPermissionRequireStrategy : IResourceAccessStrategy
{
  private readonly IHttpContextAccessor _accessor;

  public AdminPermissionRequireStrategy(IHttpContextAccessor accessor)
  {
    _accessor = accessor;
  }

  public bool IsCanAccess(string accessKey)
  {
    var user = _accessor.HttpContext.User;
    return user.Identity.IsAuthenticated && user.IsInRole("Admin");
  }

  public IActionResult DisallowedCommonResult => new ContentResult
  {
    Content = "No Permission",
    ContentType = "text/plain",
    StatusCode = 403
  };

  public IActionResult DisallowedAjaxResult => new JsonResult(new JsonResultModel
  {
    ErrorMsg = "No Permission",
    Status = JsonResultStatus.NoPermission
  });
}

Page Element Access Policy

Define page element/control access policy: 


public class AdminOnlyControlAccessStrategy : IControlAccessStrategy
{
  private readonly IHttpContextAccessor _accessor;

  public AdminOnlyControlAccessStrategy(IHttpContextAccessor httpContextAccessor) => _accessor = httpContextAccessor;

  public bool IsControlCanAccess(string accessKey)
  {
    if ("Never".Equals(accessKey, System.StringComparison.OrdinalIgnoreCase))
    {
      return false;
    }
    var user = _accessor.HttpContext.User;
    return user.Identity.IsAuthenticated && user.IsInRole("Admin");
  }
}

Service registration configuration #

Register the service in Startup: 


services.AddAccessControlHelper()
  .AddResourceAccessStrategy<Filters.AdminPermissionRequireStrategy>()
  .AddControlAccessStrategy<Filters.AdminOnlyControlAccessStrategy>()
  ;

If you are only web api, you can only register ResourceAccessStrategy for permission control that does not involve page elements 


services.AddAccessControlHelper()
.AddResourceAccessStrategy<Filters.AdminPermissionRequireStrategy>();

The lifecycle of the default access policy is singleton. If you need to register as Scoped, you can specify the default lifecycle 


services.AddAccessControlHelper()
.AddResourceAccessStrategy<Filters.AdminPermissionRequireStrategy>(ServiceLifetime.Scoped);

API/Permission Control of Resources #

For asp. net core applications, it is recommended to use Policy to control access to permissions. You can set [Authorize ("AccessControl")] or [Authorize (AccessControlHelperConstants. PolicyName)] on Action or Controller that require permission control 


[Authorize(AccessControlHelperConstants.PolicyName)]
public class SystemSettingsController : AdminBaseController
{
  // ...
}

[Authorize(AccessControlHelperConstants.PolicyName)]
public ActionResult UserList()
{
  return View();
}

Permission control of page elements #

Reference to TagHelper #

Import the TagHelper of AccessControlHelper in the _ ViewImports. cshtml file under the Views directory 


@using ActivityReservation
@using WeihanLi.AspNetMvc.AccessControlHelper
@using WeihanLi.AspNetMvc.MvcSimplePager

@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
@addTagHelper *, WeihanLi.AspNetMvc.AccessControlHelper

For details, see: https://github.com/WeihanLi/ActivityReservation/blob/ActivityReservation/Areas/Admin/Views/_ ViewImports/cshtml

Page Element Configuration #

It is enough to add attribute of asp-access to the elements that need permission control. If access-key is needed, configure it through asp-access-key 


<ul class="list-group" asp-access asp-access-key="AdminOnly">
  <li role="separator" class="list-unstyled">
    <br />
  </li>
  <li class="list-group-item">@Html.ActionLink(" User management ", "UserList", "Account")</li>

  <li class="list-group-item">@Html.ActionLink(" Operation log view ", "Index", "OperationLog")</li>
  <li class="list-group-item">@Html.ActionLink(" System setup management ", "Index", "SystemSettings")</li>
  <li class="list-group-item">
    @Html.ActionLink(" WeChat Settings Management ", "Index", new {
    controller = "Config",
    area = "Wechat"
  })
  </li>
</ul>

This is OK, have permission to access the normal rendering, no permission to access the time, this 1 section of ul will not render output, in the client browser to see the source code will not see the corresponding code

Reference#

https://github.com/WeihanLi/ActivityReservation https://github.com/WeihanLi/AccessControlHelper

Summarize

Related articles: