我正在尝试设置一个授权策略,该策略可用于装饰.net core 3.1中API控制器中的操作。我一直在关注这些示例: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-3.1
如果我具有如下所示装饰的API动作,则我的代码未达到处理程序的handlerequirementAsync方法,并且我从sfagger获得403 Forbidden响应。如果我从处理程序/需求中删除文档模型,则它确实可以工作。我是在做错什么还是API请求不支持此操作?
这是其他相关代码:
public class DocumentAuthorizationHandler :
AuthorizationHandler<SameAuthorRequirement, Document>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
SameAuthorRequirement requirement,
Document resource)
{
if (context.User.Identity?.Name == resource.Author)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
public class SameAuthorRequirement : IAuthorizationRequirement { }
[Authorize(Policy = "EditPolicy")]
public async Task<FileResult> RetreiveFile([FromRoute]Document model)
{
}
services.AddAuthorization(options =>
{
options.AddPolicy("EditPolicy", policy =>
policy.Requirements.Add(new SameAuthorRequirement()));
});
services.AddSingleton<IAuthorizationHandler, DocumentAuthorizationHandler>();