AspNetCore.Docs/aspnetcore/security/authorization/views.md

44 lines
2.3 KiB
Markdown
Raw Normal View History

2016-10-29 01:35:15 +08:00
---
2016-11-17 08:24:57 +08:00
title: View Based Authorization | Microsoft Docs
2016-10-29 01:35:15 +08:00
author: rick-anderson
2016-11-18 04:13:02 +08:00
description:
keywords: ASP.NET Core,
2016-10-29 01:35:15 +08:00
ms.author: riande
manager: wpickett
ms.date: 10/14/2016
ms.topic: article
ms.assetid: 24ce40d8-9b83-4bae-9d4c-a66350fcc8f8
2016-11-17 08:24:57 +08:00
ms.technology: aspnet
ms.prod: asp.net-core
2016-10-29 01:35:15 +08:00
uid: security/authorization/views
---
# View Based Authorization
<a name=security-authorization-views></a>
Often a developer will want to show, hide or otherwise modify a UI based on the current user identity. You can access the authorization service within MVC views via [dependency injection](../../fundamentals/dependency-injection.md#fundamentals-dependency-injection). To inject the authorization service into a Razor view use the `@inject` directive, for example `@inject IAuthorizationService AuthorizationService` (requires `@using Microsoft.AspNetCore.Authorization`). If you want the authorization service in every view then place the `@inject` directive into the `_ViewImports.cshtml` file in the `Views` directory. For more information on dependency injection into views see [Dependency injection into views](../../mvc/views/dependency-injection.md).
2016-10-29 01:35:15 +08:00
Once you have injected the authorization service you use it by calling the `AuthorizeAsync` method in exactly the same way as you would check during [resource based authorization](resourcebased.md#security-authorization-resource-based-imperative).
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
In some cases the resource will be your view model, and you can call `AuthorizeAsync` in exactly the same way as you would check during [resource based authorization](resourcebased.md#security-authorization-resource-based-imperative);
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
2016-10-29 01:35:15 +08:00
@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>
}
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
Here you can see the model is passed as the resource authorization should take into consideration.
>[!WARNING]
>Do not rely on showing or hiding parts of your UI as your only authorization method. Hiding a UI element does not mean a user cannot access it. You must also authorize the user within your controller code.