AspNetCore.Docs/aspnetcore/security/authorization/views.md

---
title: View Based Authorization | Microsoft Docs
author: rick-anderson
description: 
keywords: ASP.NET Core,
ms.author: riande
manager: wpickett
ms.date: 10/14/2016
ms.topic: article
ms.assetid: 24ce40d8-9b83-4bae-9d4c-a66350fcc8f8
ms.technology: aspnet
ms.prod: aspnet-core
uid: security/authorization/views
---
# View Based Authorization

<a name=security-authorization-views></a>

Often a developer will want to show, hide or otherwise modify a UI based on the current user identity. You can access the authorization service within MVC views via [dependency injection](../../fundamentals/dependency-injection.md#fundamentals-dependency-injection). To inject the authorization service into a Razor view use the `@inject` directive, for example `@inject IAuthorizationService AuthorizationService`. If you want the authorization service in every view then place the `@inject` directive into the `_ViewImports.cshtml` file in the `Views` directory. For more information on dependency injection into views see [Dependency injection into views](../../mvc/views/dependency-injection.md).

Once you have injected the authorization service you use it by calling the `AuthorizeAsync` method in exactly the same way as you would check during [resource based authorization](resourcebased.md#security-authorization-resource-based-imperative).

```csharp
@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
   {
       <p>This paragraph is displayed because you fulfilled PolicyName.</p>
   }
   ```

In some cases the resource will be your view model, and you can call `AuthorizeAsync` in exactly the same way as you would check during [resource based authorization](resourcebased.md#security-authorization-resource-based-imperative);

```csharp
@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
   {
       <p><a class="btn btn-default" role="button"
           href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>
   }
   ```

Here you can see the model is passed as the resource authorization should take into consideration.

>[!WARNING]
>Do not rely on showing or hiding parts of your UI as your only authorization method. Hiding a UI element does not mean a user cannot access it. You must also authorize the user within your controller code.
Add docfx content 2016-10-29 01:35:15 +08:00			`---`
title + meta on technology 2016-11-17 08:24:57 +08:00			`title: View Based Authorization \| Microsoft Docs`
Add docfx content 2016-10-29 01:35:15 +08:00			`author: rick-anderson`
keywords and decription meta-data 2016-11-18 04:13:02 +08:00			`description:`
			`keywords: ASP.NET Core,`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.author: riande`
			`manager: wpickett`
			`ms.date: 10/14/2016`
			`ms.topic: article`
			`ms.assetid: 24ce40d8-9b83-4bae-9d4c-a66350fcc8f8`
title + meta on technology 2016-11-17 08:24:57 +08:00			`ms.technology: aspnet`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.prod: aspnet-core`
			`uid: security/authorization/views`
			`---`
			`# View Based Authorization`

			`<a name=security-authorization-views></a>`

			Often a developer will want to show, hide or otherwise modify a UI based on the current user identity. You can access the authorization service within MVC views via [dependency injection](../../fundamentals/dependency-injection.md#fundamentals-dependency-injection). To inject the authorization service into a Razor view use the `@inject` directive, for example `@inject IAuthorizationService AuthorizationService`. If you want the authorization service in every view then place the `@inject` directive into the `_ViewImports.cshtml` file in the `Views` directory. For more information on dependency injection into views see [Dependency injection into views](../../mvc/views/dependency-injection.md).

Api link fix (#2115) * quick test * quick test * quick test * Revert "quick test" This reverts commit 91b07a3df541769ef7a137e039d6a7f91cdcdf3b. * Revert "quick test" This reverts commit e44af19bb4e60cb8299790b7db34a37f0c645e48. * Revert "quick test" This reverts commit 6872a1921dbd997b3027873fe823f87ee8601024. * Removed links to old api site * Fixed link to H1 * quick fix * Fixed link to H1 * reverted to match master * removed random character. * removed random unix character * removed random unix character * removed random UTF character * removed random UTF character * removed random UTF character * removed random UTF character * removed random UTF character * removed random UTF character * Quick fixes * Update CONTRIBUTING.md * removed random UTF character * removed random UTF character * Update routing.md * Update validation.md * Update overview.md * Update linuxproduction.md * Update web-publishing-vs.md * Update sociallogins.md * Update cors.md * Update cross-site-scripting.md * Update overview.md * Update key-encryption-at-rest.md * Update adding-model.md * Update new-field.md * Update validation.md * Update first-web-api.md * Update nano-server.md * Update your-first-mac-aspnet.md * Update linuxproduction.md 2016-11-08 01:58:40 +08:00			Once you have injected the authorization service you use it by calling the `AuthorizeAsync` method in exactly the same way as you would check during [resource based authorization](resourcebased.md#security-authorization-resource-based-imperative).
Add docfx content 2016-10-29 01:35:15 +08:00
fixed code snippets 2016-11-18 13:03:07 +08:00			```csharp
Add docfx content 2016-10-29 01:35:15 +08:00			`@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))`
			`{`
			`<p>This paragraph is displayed because you fulfilled PolicyName.</p>`
			`}`
fixed code snippets 2016-11-18 13:03:07 +08:00			```
Add docfx content 2016-10-29 01:35:15 +08:00
Api link fix (#2115) * quick test * quick test * quick test * Revert "quick test" This reverts commit 91b07a3df541769ef7a137e039d6a7f91cdcdf3b. * Revert "quick test" This reverts commit e44af19bb4e60cb8299790b7db34a37f0c645e48. * Revert "quick test" This reverts commit 6872a1921dbd997b3027873fe823f87ee8601024. * Removed links to old api site * Fixed link to H1 * quick fix * Fixed link to H1 * reverted to match master * removed random character. * removed random unix character * removed random unix character * removed random UTF character * removed random UTF character * removed random UTF character * removed random UTF character * removed random UTF character * removed random UTF character * Quick fixes * Update CONTRIBUTING.md * removed random UTF character * removed random UTF character * Update routing.md * Update validation.md * Update overview.md * Update linuxproduction.md * Update web-publishing-vs.md * Update sociallogins.md * Update cors.md * Update cross-site-scripting.md * Update overview.md * Update key-encryption-at-rest.md * Update adding-model.md * Update new-field.md * Update validation.md * Update first-web-api.md * Update nano-server.md * Update your-first-mac-aspnet.md * Update linuxproduction.md 2016-11-08 01:58:40 +08:00			In some cases the resource will be your view model, and you can call `AuthorizeAsync` in exactly the same way as you would check during [resource based authorization](resourcebased.md#security-authorization-resource-based-imperative);
Add docfx content 2016-10-29 01:35:15 +08:00
fixed code snippets 2016-11-18 13:03:07 +08:00			```csharp
Add docfx content 2016-10-29 01:35:15 +08:00			`@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))`
			`{`
			`<p><a class="btn btn-default" role="button"`
			`href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>`
			`}`
fixed code snippets 2016-11-18 13:03:07 +08:00			```
Add docfx content 2016-10-29 01:35:15 +08:00
			`Here you can see the model is passed as the resource authorization should take into consideration.`

			`>[!WARNING]`
			`>Do not rely on showing or hiding parts of your UI as your only authorization method. Hiding a UI element does not mean a user cannot access it. You must also authorize the user within your controller code.`