Extending Authorization Policies¶
Virto Commerce supports extendng the existing authorization policies that are defined and checked in the API controllers and other locations. This article will tell you how to use various techniques to extend the authorization policy type without direct code modification.
Click here to view or download our sample code.
Extending Existing Authorization Policies¶
Let's assume below are authorization checks in the Order Module. Additionally, we want to extend the default OrderAuthorizationHandler
that is associated with the OrderAuthorizationRequirement
requirement called during the authorization check with a new policy limiting the resulting orders by their statuses. The purpose is to create a role that enables certain users to see orders only with certain status(es).
[HttpPost]
[Route("api/order/customerOrders/search")]
public async Task<ActionResult<CustomerOrderSearchResult>> SearchCustomerOrder([FromBody] CustomerOrderSearchCriteria criteria)
{
var authorizationResult = await _authorizationService.AuthorizeAsync(User, criteria, new OrderAuthorizationRequirement(ModuleConstants.Security.Permissions.Read));
if (!authorizationResult.Succeeded)
{
return Unauthorized();
}
}
To enable this extension, define a new CustomOrderAuthorizationHandler
class and use the same OrderAuthorizationRequirement
requirement, as it is used in the original controller method for authorization check:
public sealed class CustomOrderAuthorizationHandler : PermissionAuthorizationHandlerBase<OrderAuthorizationRequirement>
{
//Code skipped for better clarity
}
Register your handler in the DI to tell ASP.NET Authorization to call your handler along with others associated with the OrderAuthorizationRequirement
requirement:
public class Module : IModule
{
public void Initialize(IServiceCollection serviceCollection)
{
//Rest of code skipped for better clarity
serviceCollection.AddTransient<IAuthorizationHandler, CustomOrderAuthorizationHandler>();
}
}
The custom CustomOrderAuthorizationHandler
along with other registered handlers will be executed each time when OrderAuthorizationRequirement
is checked by this call: