fix #1367 - provides support for multiple entities in auth policy and makes parameter names more intuitive - backward compatible with entityid

Oqtane.Server/Security/PermissionHandler.cs

@@ -1,4 +1,4 @@
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Oqtane.Enums;
@@ -22,11 +22,19 @@ namespace Oqtane.Security
 
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
         {
-            // permission is scoped based on EntityId which must be passed as a querystring parameter
+            // permission is scoped based on auth{entityname}id (ie ?authmoduleid ) which must be passed as a querystring parameter
             var ctx = _httpContextAccessor.HttpContext;
-            if (ctx != null && ctx.Request.Query.ContainsKey("entityid"))
+            if (ctx != null)
             {
-                int entityId = int.Parse(ctx.Request.Query["entityid"]);
+                int entityId = -1;
+                if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
+                {
+                    entityId = int.Parse(ctx.Request.Query["auth" + requirement.EntityName.ToLower() + "id"]);
+                }
+                if (entityId == -1 && ctx.Request.Query.ContainsKey("entityid"))
+                {
+                    entityId = int.Parse(ctx.Request.Query["entityid"]);
+                }
                 if (_userPermissions.IsAuthorized(context.User, requirement.EntityName, entityId, requirement.PermissionName))
                 {
                     context.Succeed(requirement);
@@ -39,4 +47,4 @@ namespace Oqtane.Security
             return Task.CompletedTask;
         }
     }
-}
+}