Db Resource Authorization in EF Core

Question

I'm writing a Rest API Framework, I'd like to create a db authorization context. The context takes in a role resolver and uses that to filter the default set. Base on a set of rules.

In my First Attempt I thought maybe I could apply default filters to the entity sets to prohibit access to certain resources

public class AuthorizationContext : DbContext
{
    protected IConstraintResolver _constraintResolver;
    public AuthorizationContext(IConstraintResolver constraintResolver)
    {
        this._constraintResolver = constraintResolver;

    }

    public override DbSet<TEntity> Set<TEntity>()
    {
        var defaultSet = base.Set<TEntity>();

        var constraints = this._constraintResolver.GetConstraintsForTypeByRole<TEntity>();

        var filteredSet = base.Set<TEntity>().AsQueryable();

        foreach (var constraint in constraints)
        {
            filteredSet = filteredSet.Where(constraint);
        }
        //how do I apply this back to the innerQueryable
        return filteredSet;
    }
}

but this does not compile I because I cannot transform my Queryable back to a filteredDBSet.

I found a few articles on different ways to Secure data in EF-Core, but using this method would require, is not how I want to secure my data.

I want my context to implicitly secure data based off the role (so that any user using the context will not have to worry about wraping their queries to check for authorization.)
A lot of additional configuration for the user

I have a function which already generates my Expressions based on the metadata of the SQL. My issue is applying to filter to the DBSets.

Assuming you are given an Expression<TEntity, Bool> How can I secure my context so that a user can only access or modify the data I've decided?

How about EFC 2.0 [global query filters](https://learn.microsoft.com/en-us/ef/core/querying/filters) — Ivan Stoev, Dec 30 '17 at 18:11
Are you referring to the ones in Entityframework plus? I thought those don’t work with ef7? — johnny 5, Dec 30 '17 at 18:14
No, as you can see from the link, these are part of EF Core. — Ivan Stoev, Dec 30 '17 at 18:15
Those look like they will work if you post an answer I’ll mark it correct, I’ll post my working code when I’m done either way — johnny 5, Dec 30 '17 at 18:17

Ivan Stoev · Accepted Answer · 2017-12-30T18:42:02.773

Expression<TEntity, bool> sounds like a good candidate for EF Core 2.0 Global Query Filter.

You can set it for specific entity:

modelBuilder.Entity<SomeEntity>().HasQueryFilter(expression);

or for multiple entities based on some criteria - examples are EF-Core 2.0 Filter all queries (trying to achieve soft delete) and ef core 2 apply HasQueryFilter for all entity.

Please note that currently the global query filters have some limitations and special requirements to be rooted to the DbContext derived class if they need to be dynamic etc. (EF Core: Soft delete with shadow properties and query filters). I'm pretty sure they will be improved over the time, but it's good to check if the current functionality can serve your needs.

Db Resource Authorization in EF Core

1 Answers1

Linked