Principal based authorization of relationships #473
Labels
Comments
|
This should be doable by implementing a One example might look like: public class ModelResource : ResourceDefinition<Model>
{
private readonly ICurrentUser _currentUser;
public ModelResource(ICurrentUser currentUser) {
_currentUser = currentUser;
}
protected override List<AttrAttribute> OutputAttrs()
=> _currentUser.IsAdmin
? base.OutputAttrs() // return all attrs
: Remove(m => m.AccountNumber, from: base.OutputAttrs()); // remove account-number
} |
|
Thank you very much! I couldnt find this in the online docs, will you updating this at one point or should we build them locally? |
|
Thanks for reminding me. The latest docs have been deployed here. I'm still working on CI and they're still a WIP so feel free to contribute if you see something missing or wrong. |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
DescriptionMaybe
I wish to have the ability to have attribute/relationships hiding based on authorization (policy, other class, function etc).
Is there anything possible at the moment? I think a general function that can be registered that checks if a user/entity is able to access an attribute would help greatly in the versatility of JsonApiDotNetCore on a more enterprise level.
Any thoughts on this? I am implementing this in business logic on the service level at the moment, but wish to move away from this soon.
Environment
The text was updated successfully, but these errors were encountered: