You can access with HttpContext.Current.Request
How can I access the current request from my own authorization class?
-
11-07-2023 - |
Question
I need to access Request
object from my own authorization class. Controller attribute is probably not an option and here's why.
- There are users
- There are objects
- Users can have specific permissions to objects (read/write/delete/...)
- Objects can be made public (also read/write)
Because of this system I need to write my own authorization logic and it's not a problem, I was thinking of something like so:
Pseudo Code
public class ObjectsController : ApiController
{
private readonly AuthorizationService _auth = new AuthorizationService();
[Route]
public async Task<IHttpActionResult> Get()
{
var obj = new object(); // this is object that we will be working with
// Note: This is just for demo, real object will be something like `Item`
if (obj.IsPublic || _auth.CurrentUser.CanRead(obj))
{
return Ok(obj);
}
return Unauthorized();
}
}
How I will check current user
- Check if there is header
Token
- Check if there is url param
?token=
- Get user from token
- Return user or null
Problem
Now because I need to check weather CAN this user read this Item
(obj) AFAIK I cannot use controller attribute because I first need to get the actual item from database. What are my options? Can I access current Request
object to extract needed values in my AuthorizationService
class?
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow