0
I am developing a Blazor Server application that requires role and permission-based access control. My authentication uses a custom provider (not relying on HTTP Context), and I need to enforce authorization rules both on the UI (hiding components, buttons, menus) and server-side (restricting access to sensitive methods).
Since Blazor uses SignalR for client-server communication, traditional [Authorize] attributes or policies tied to HTTP Context are not viable. I want to use Roles to make the user unauthorized to reach certain pages that require a specific role, while I want to use Permissions to be tied to most components on each page. My Roles and Permissions are stored in the Db where the Permissions are tied to Roles. I would like to avoid using Policies for the Permissions.
Notes:
- Permissions are stored in a database table and assigned to Roles, and each User can have multiple roles
- Permissions are placed in a "context" during authentication which I can grab as long as the user is authenticated (I do not want to clutter the claims with potentially big number of permissions)
- Permissions are named after the action that they are assigned to, for example "AddUser", "EditProduct", "ViewEmployeeGrid"
Requirements:
- Ability to attribute the Blazor pages with something similar to the Authorize attribute such as @attribute [Authorize(Roles = "SuperAdmin, Auditor, Operator")]
- Ability to use Permission keyword in a custom "AuthorizeView" wrapped on each component, button, etc.
<CustomAuthorizeView Permission="AddUser">
<div class="radzen-filter">
<RadzenStack Orientation="Orientation.Horizontal" AlignItems="AlignItems.Center" Gap="0.5rem" Style="margin-bottom: 1rem;">
<RadzenButton Click="@CreateUser" Text="Add User" Icon="add" ButtonStyle="ButtonStyle.Primary" />
</RadzenStack>
</div>
</CustomAuthorizeView>
I know that this is more of a general Blazor question rather than a Radzen one, but any help would be appreciated.