31 lines
1.7 KiB
ReStructuredText
31 lines
1.7 KiB
ReStructuredText
.. _security-authorization-views:
|
|
|
|
View Based Authorization
|
|
========================
|
|
|
|
Often a developer will want to show, hide or otherwise modify a UI based on the current user identity. You can access the authorization service within MVC views by injecting it. To inject the authorization service into a view you use the ``@inject IAuthorizationService AuthorizationService``. If you want the authorization service in every view the place the ``@inject`` keyword into the ``_ViewImports.cshtml`` file in the ``Views`` directory.
|
|
|
|
Once you have injected the authorization service you use it by calling the ``AuthorizeAsync`` method in exactly the same way as you would check during :ref:`resource based authorization <security-authorization-resource-based-imperative>`.
|
|
|
|
.. code-block:: c#
|
|
|
|
@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
|
|
{
|
|
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
|
|
}
|
|
|
|
In some cases the resource will be your view model, and you can call ``AuthorizeAsync`` in exactly the same way as you would check during :ref:`resource based authorization <security-authorization-resource-based-imperative>`;
|
|
|
|
.. code-block:: c#
|
|
|
|
@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
|
|
{
|
|
<p><a class="btn btn-default" role="button"
|
|
href="@Url.Action("Edit", "Document", new {id= Model.Id})">Edit</a></p>
|
|
}
|
|
|
|
Here you can see the model is passed as the resource authorization should take into consideration.
|
|
|
|
.. WARNING::
|
|
Do not rely on showing or hiding parts of your UI as your only authorization method. Hiding a UI element does not mean a user cannot access it. You must also authorize the user within your controller code.
|