How can I access the current request from my own authorization class?

Question

I need to access Request object from my own authorization class. Controller attribute is probably not an option and here's why.

• There are users
• There are objects
• Users can have specific permissions to objects (read/write/delete/...)
• Objects can be made public (also read/write)

Because of this system I need to write my own authorization logic and it's not a problem, I was thinking of something like so:

Pseudo Code

public class ObjectsController : ApiController
{
    private readonly AuthorizationService _auth = new AuthorizationService();

    [Route]
    public async Task<IHttpActionResult> Get()
    {
        var obj = new object(); // this is object that we will be working with
        // Note: This is just for demo, real object will be something like `Item`

        if (obj.IsPublic || _auth.CurrentUser.CanRead(obj))
        {
            return Ok(obj);
        }

        return Unauthorized();
    }
}

How I will check current user

1. Check if there is header Token
2. Check if there is url param ?token=
3. Get user from token
4. Return user or null

Problem

Now because I need to check weather CAN this user read this Item (obj) AFAIK I cannot use controller attribute because I first need to get the actual item from database. What are my options? Can I access current Request object to extract needed values in my AuthorizationService class?

Answer 1

You can access with HttpContext.Current.Request