AspNetCore.Docs/aspnetcore/security/authorization/views.md

76 lines
3.2 KiB
Markdown
Raw Normal View History

2016-10-29 01:35:15 +08:00
---
title: View-based authorization in ASP.NET Core MVC
2016-10-29 01:35:15 +08:00
author: rick-anderson
description: This document demonstrates how to inject and utilize the authorization service inside of an ASP.NET Core Razor view.
keywords: ASP.NET Core,authorization,IAuthorizationService,Razor authorization
2016-10-29 01:35:15 +08:00
ms.author: riande
manager: wpickett
ms.date: 10/30/2017
2016-10-29 01:35:15 +08:00
ms.topic: article
ms.assetid: 24ce40d8-9b83-4bae-9d4c-a66350fcc8f8
2016-11-17 08:24:57 +08:00
ms.technology: aspnet
ms.prod: asp.net-core
2016-10-29 01:35:15 +08:00
uid: security/authorization/views
---
# View-based authorization
2016-10-29 01:35:15 +08:00
A developer often wants to show, hide, or otherwise modify a UI based on the current user identity. You can access the authorization service within MVC views via [dependency injection](xref:fundamentals/dependency-injection#fundamentals-dependency-injection). To inject the authorization service into a Razor view, use the `@inject` directive:
2016-10-29 01:35:15 +08:00
```cshtml
@using Microsoft.AspNetCore.Authorization
@inject IAuthorizationService AuthorizationService
```
If you want the authorization service in every view, place the `@inject` directive into the *_ViewImports.cshtml* file of the *Views* directory. For more information, see [Dependency injection into views](xref:mvc/views/dependency-injection).
Use the injected authorization service to invoke `AuthorizeAsync` in exactly the same way you would check during [resource-based authorization](xref:security/authorization/resourcebased#security-authorization-resource-based-imperative):
2016-10-29 01:35:15 +08:00
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
```cshtml
@if ((await AuthorizationService.AuthorizeAsync(User, "PolicyName")).Succeeded)
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
```
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
2016-10-29 01:35:15 +08:00
2017-10-13 04:25:57 +08:00
```cshtml
2016-10-29 01:35:15 +08:00
@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
```
2016-10-29 01:35:15 +08:00
---
In some cases, the resource will be your view model. Invoke `AuthorizeAsync` in exactly the same way you would check during [resource-based authorization](xref:security/authorization/resourcebased#security-authorization-resource-based-imperative):
2016-10-29 01:35:15 +08:00
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
2017-10-13 04:25:57 +08:00
```cshtml
@if ((await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit)).Succeeded)
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>
}
```
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
2017-10-13 04:25:57 +08:00
```cshtml
@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>
}
```
---
2016-10-29 01:35:15 +08:00
In the preceding code, the model is passed as a resource the policy evaluation should take into consideration.
2016-10-29 01:35:15 +08:00
> [!WARNING]
> Don't rely on toggling visibility of your app's UI elements as the sole authorization check. Hiding a UI element may not completely prevent access to its associated controller action. For example, consider the button in the preceding code snippet. A user can invoke the `Edit` action method if he or she knows the relative resource URL is */Document/Edit/1*. For this reason, the `Edit` action method should perform its own authorization check.