2

Adding additional policies to authorization allows the subsequent policies to return 403 instead of 401 which works out for what I want to do.

However when I have something like:

protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, MustHaveResourceAccessRequirement requirement)
{
    if (context.Resource is AuthorizationFilterContext filterContext)
    {
        var request = filterContext.RouteData.Values["request"];

        ...
    }
}

I cannot access request since it's not part of the actual Route itself...

The controller action is:

public ActionResult GetResource([FromBody] GetResourceRequest request)

Since it's [FromBody] and not [FromRoute] it's not available.

Is it possible to get the bound model within a AuthorizationHandler without needing to manually figure out if it's from Query/Route/Body as I want to use this on many different requests, I cannot have every request needing to specify another argument on every route.

Phill
  • 18,398
  • 7
  • 62
  • 102
  • Maybe this will help https://stackoverflow.com/questions/40494913/how-to-read-request-body-in-a-asp-net-core-webapi-controller – Ronald Haan May 06 '19 at 08:16
  • I've tried that, which is what the first bit of code is doing, the problem is it gives you the HttpContext, which contains separately the payload, query, routes, etc. And the RouteData, but it doesn't give you access to the bound model. – Phill May 06 '19 at 08:27
  • 3
    No, it's not possible. The model-binding is performed by MVC, which runs after authz. You can do something manual of course but it's not "built-in". – Kirk Larkin May 06 '19 at 10:31

0 Answers0