enhance dynamic authorization policies to support default role specification

Oqtane.Server/Security/AuthorizationPolicyProvider.cs

@@ -9,12 +9,10 @@ namespace Oqtane.Security
     public class AuthorizationPolicyProvider : DefaultAuthorizationPolicyProvider
     {
         private readonly AuthorizationOptions _options;
-        private readonly IConfiguration _configuration;
 
-        public AuthorizationPolicyProvider(IOptions<AuthorizationOptions> options, IConfiguration configuration) : base(options)
+        public AuthorizationPolicyProvider(IOptions<AuthorizationOptions> options) : base(options)
         {
             _options = options.Value;
-            _configuration = configuration;
         }
 
         public override async Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
@@ -25,18 +23,25 @@ namespace Oqtane.Security
 
             if (policy == null)
             {
-                // policy names must be in the form of "Entity:Permission" ie. "User:Read"
-                if (policyName.Contains(":"))
+                if (policyName.Contains(':'))
                 {
-                    var entityName = policyName.Split(':')[0];
-                    var permissionName = policyName.Split(':')[1];
+                    // policy names must be in the form of "EntityName:PermissionName:Roles" ie. "Module:Edit:Administrators" (roles are comma delimited)
+                    var policySegments = policyName.Split(':');
+                    if (policySegments.Length >= 3)
+                    {
+                        // check for optional RequireEntityId segment
+                        var requireEntityId = false;
+                        if (policySegments.Length == 4 && policySegments[3] == Constants.RequireEntityId)
+                        {
+                            requireEntityId = true;
+                        }
+                        policy = new AuthorizationPolicyBuilder()
+                            .AddRequirements(new PermissionRequirement(policySegments[0], policySegments[1], policySegments[2], requireEntityId))
+                            .Build();
 
-                    policy = new AuthorizationPolicyBuilder()
-                        .AddRequirements(new PermissionRequirement(entityName, permissionName))
-                        .Build();
-
-                    // add policy to the AuthorizationOptions
-                    _options.AddPolicy(policyName, policy);
+                        // add policy to the AuthorizationOptions
+                        _options.AddPolicy(policyName, policy);
+                    }
                 }
             }
 
@@ -46,8 +51,8 @@ namespace Oqtane.Security
         private string GetPolicyName(string policyName)
         {
             // backward compatibility for legacy static policy names
-            if (policyName == PolicyNames.ViewModule) policyName = "Module:View";
-            if (policyName == PolicyNames.EditModule) policyName = "Module:Edit";
+            if (policyName == PolicyNames.ViewModule) policyName = $"{EntityNames.Module}:{PermissionNames.View}:{RoleNames.Admin}:{Constants.RequireEntityId}";
+            if (policyName == PolicyNames.EditModule) policyName = $"{EntityNames.Module}:{PermissionNames.Edit}:{RoleNames.Admin}:{Constants.RequireEntityId}";
             return policyName;
         }
     }