Permission-based authorization utilizing Policies

Oqtane.Server/Security/ClaimsPrincipalFactory.cs

@@ -4,6 +4,7 @@ using System.Security.Claims;
 using System.Threading.Tasks;
 using Oqtane.Repository;
 using Oqtane.Models;
+using Oqtane.Shared;
 
 namespace Oqtane.Security
 {
@@ -29,9 +30,11 @@ namespace Oqtane.Security
             User user = Users.GetUser(identityuser.UserName);
             if (user != null)
             {
-                if (user.IsSuperUser)
+                id.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
+                if (user.IsHost) // host users are part of every site by default
                 {
-                    id.AddClaim(new Claim(options.ClaimsIdentity.RoleClaimType, "Administrators"));
+                    id.AddClaim(new Claim(options.ClaimsIdentity.RoleClaimType, Constants.HostRole));
+                    id.AddClaim(new Claim(options.ClaimsIdentity.RoleClaimType, Constants.AdminRole));
                 }
                 else
                 {

Oqtane.Server/Security/PermissionHandler.cs

@@ -0,0 +1,57 @@
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using Oqtane.Models;
+using Oqtane.Repository;
+
+namespace Oqtane.Security
+{
+    public class PermissionHandler : AuthorizationHandler<PermissionRequirement>
+    {
+        private readonly IHttpContextAccessor HttpContextAccessor;
+        private readonly IPermissionRepository Permissions;
+
+        public PermissionHandler(IHttpContextAccessor HttpContextAccessor, IPermissionRepository Permissions)
+        {
+            this.HttpContextAccessor = HttpContextAccessor;
+            this.Permissions = Permissions;
+        }
+
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
+        {
+            // permission is scoped based on EntityId which must be passed as a querystring parameter
+            var ctx = HttpContextAccessor.HttpContext;
+            if (ctx != null && ctx.Request.Query.ContainsKey("entityid"))
+            {
+                int EntityId = int.Parse(ctx.Request.Query["entityid"]);
+                string permissions = Permissions.EncodePermissions(EntityId, Permissions.GetPermissions(requirement.EntityName, EntityId, requirement.PermissionName).ToList());
+
+                User user = new User();
+                user.UserId = -1;
+                user.Roles = "";
+
+                if (context.User != null)
+                {
+                    var idclaim = context.User.Claims.Where(item => item.Type == ClaimTypes.PrimarySid).FirstOrDefault();
+                    if (idclaim != null)
+                    {
+                        user.UserId = int.Parse(idclaim.Value);
+                        foreach (var claim in context.User.Claims.Where(item => item.Type == ClaimTypes.Role))
+                        {
+                            user.Roles += claim.Value + ";";
+                        }
+                        if (user.Roles != "") user.Roles = ";" + user.Roles;
+                    }
+                }
+
+                if (UserSecurity.IsAuthorized(user, requirement.PermissionName, permissions))
+                {
+                    context.Succeed(requirement);
+                }
+            }
+            return Task.CompletedTask;
+        }
+    }
+}

Oqtane.Server/Security/PermissionRequirement.cs

@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Oqtane.Security
+{
+    public class PermissionRequirement : IAuthorizationRequirement
+    {
+        public string EntityName { get; }
+
+        public string PermissionName { get; }
+
+        public PermissionRequirement(string EntityName, string PermissionName)
+        {
+            this.EntityName = EntityName;
+            this.PermissionName = PermissionName;
+        }
+    }
+}