diff --git a/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs b/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
index 51ab7887..1e9d42ab 100644
--- a/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
+++ b/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
@@ -21,23 +21,23 @@ namespace Oqtane.Modules.HtmlText.Services
 
         public async Task<HtmlTextInfo> GetHtmlTextAsync(int moduleId)
         {
-            var htmltext = await GetJsonAsync<List<HtmlTextInfo>>($"{ApiUrl}/{moduleId}?entityid={moduleId}");
+            var htmltext = await GetJsonAsync<List<HtmlTextInfo>>(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", moduleId));
             return htmltext.FirstOrDefault();
         }
 
         public async Task AddHtmlTextAsync(HtmlTextInfo htmlText)
         {
-            await PostJsonAsync($"{ApiUrl}?entityid={htmlText.ModuleId}", htmlText);
+            await PostJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}", htmlText.ModuleId), htmlText);
         }
 
         public async Task UpdateHtmlTextAsync(HtmlTextInfo htmlText)
         {
-            await PutJsonAsync($"{ApiUrl}/{htmlText.HtmlTextId}?entityid={htmlText.ModuleId}", htmlText);
+            await PutJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{htmlText.HtmlTextId}", htmlText.ModuleId), htmlText);
         }
 
         public async Task DeleteHtmlTextAsync(int moduleId)
         {
-            await DeleteAsync($"{ApiUrl}/{moduleId}?entityid={moduleId}");
+            await DeleteAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", moduleId));
         }
     }
 }
diff --git a/Oqtane.Client/Services/ServiceBase.cs b/Oqtane.Client/Services/ServiceBase.cs
index 091709f2..2e891ca3 100644
--- a/Oqtane.Client/Services/ServiceBase.cs
+++ b/Oqtane.Client/Services/ServiceBase.cs
@@ -170,6 +170,19 @@ namespace Oqtane.Services
         // can be used to override the default alias
         public Alias Alias { get; set; }
 
+        // add entityid parameter to url for custom authorization policy
+        public string CreateAuthorizationPolicyUrl(string url, int entityId)
+        {
+            if (url.Contains("?"))
+            {
+                return url + "&entityid=" + entityId.ToString();
+            }
+            else
+            {
+                return url + "?entityid=" + entityId.ToString();
+            }
+        }
+
         [Obsolete("This method is obsolete. Use CreateApiUrl(Alias alias, string serviceName) instead.", false)]
         public string CreateApiUrl(Alias alias, string absoluteUri, string serviceName)
         {
diff --git a/Oqtane.Server/Controllers/ModuleControllerBase.cs b/Oqtane.Server/Controllers/ModuleControllerBase.cs
new file mode 100644
index 00000000..b934e684
--- /dev/null
+++ b/Oqtane.Server/Controllers/ModuleControllerBase.cs
@@ -0,0 +1,21 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Http;
+using Oqtane.Infrastructure;
+
+namespace Oqtane.Controllers
+{
+    public class ModuleControllerBase : Controller
+    {
+        protected readonly ILogManager _logger;
+        protected int _entityId = -1; // passed as a querystring parameter for policy authorization and used for validation
+
+        public ModuleControllerBase(ILogManager logger, IHttpContextAccessor accessor)
+        {
+            _logger = logger;
+            if (accessor.HttpContext.Request.Query.ContainsKey("entityid"))
+            {
+                _entityId = int.Parse(accessor.HttpContext.Request.Query["entityid"]);
+            }
+        }
+    }
+}
diff --git a/Oqtane.Server/Modules/HtmlText/Controllers/HtmlTextController.cs b/Oqtane.Server/Modules/HtmlText/Controllers/HtmlTextController.cs
index fc9495fc..ba164d4f 100644
--- a/Oqtane.Server/Modules/HtmlText/Controllers/HtmlTextController.cs
+++ b/Oqtane.Server/Modules/HtmlText/Controllers/HtmlTextController.cs
@@ -8,24 +8,18 @@ using System;
 using System.Collections.Generic;
 using Oqtane.Enums;
 using Oqtane.Infrastructure;
+using Oqtane.Controllers;
 
 namespace Oqtane.Modules.HtmlText.Controllers
 {
     [Route("{alias}/api/[controller]")]
-    public class HtmlTextController : Controller
+    public class HtmlTextController : ModuleControllerBase
     {
         private readonly IHtmlTextRepository _htmlText;
-        private readonly ILogManager _logger;
-        private int _entityId = -1; // passed as a querystring parameter for authorization and used for validation
 
-        public HtmlTextController(IHtmlTextRepository htmlText, ILogManager logger, IHttpContextAccessor httpContextAccessor)
+        public HtmlTextController(IHtmlTextRepository htmlText, ILogManager logger, IHttpContextAccessor accessor) : base(logger, accessor)
         {
             _htmlText = htmlText;
-            _logger = logger;
-            if (httpContextAccessor.HttpContext.Request.Query.ContainsKey("entityid"))
-            {
-                _entityId = int.Parse(httpContextAccessor.HttpContext.Request.Query["entityid"]);
-            }
         }
 
         // GET api/<controller>/5
diff --git a/Oqtane.Server/Startup.cs b/Oqtane.Server/Startup.cs
index b9f001bc..ee53f340 100644
--- a/Oqtane.Server/Startup.cs
+++ b/Oqtane.Server/Startup.cs
@@ -72,7 +72,7 @@ namespace Oqtane
                 });
             }
 
-            // register authorization services
+            // register custom authorization policies
             services.AddAuthorizationCore(options =>
             {
                 options.AddPolicy("ViewPage", policy => policy.Requirements.Add(new PermissionRequirement(EntityNames.Page, PermissionNames.View)));