Authorization
Firestorm provides basic authorization at a field, item and collection levels.
Note
v1.0 provides basic authorization. A more comprehensive set of authorisation features is planned for a future version.
AuthorizeAttribute for fields
The Authorize
attribute determines whether the API user can access the field.
The attribute can allow specific Users or Roles, as with ASP.NET MVC's AuthorizeAttribute
.
public class ArtistsStem : Stem<Artist>
{
[Get]
public static Expression<Func<Artist, string>> Name
{
get { return a => a.Name; }
}
[Set]
[Authorize(Roles = "Admin")]
public void SetName(Artist artist, string name)
{
artist.OldName = artist.Name;
artist.Name = name;
artist.NameChangedDate = DateTime.Now;
}
}
PUT /artists/123/name
"Noisia"
401 Unauthorized
{
"error": "authorization",
"message": "You do not have permissions to set the 'name' field."
}
PermissionExpression for items
The Stem<>
class declares the virtual property Expression<Func<TItem, ItemPermission>> PermissionExpression
for you to override with item-level permissions.
The ItemPermission
enum returned by this expression determines what actions the user can do for the given item.
public enum ItemPermission
{
None = 0,
Read = 1,
Write = 2,
ReadWrite = Write | Read,
Delete = 4,
ReadWriteDelete = Delete | ReadWrite,
}
For example, you can make an expression that allows the user to view all artists, but only edit their own.
public class ArtistsStem : Stem<Artist>
{
public override Expression<Func<Artist, ItemPermission>> PermissionExpression
{
get { return a => a.OwnedByUsername == User.Username ? ItemPermission.ReadWrite : ItemPermission.Read; }
}
}
This is particularly handy if you want to limit a collection to only return certain items. The expression is used in the Where
clause in the final LINQ query.
This method defaults to return null
, where no filter will be added to the final query and all users are assumed to have full ReadWriteDelete
permissions.
CanAddItem for collections
Finally, there's another virtual method, bool CanAddItem()
.
public class ArtistsStem : Stem<Artist>
{
public override bool CanAddItem()
{
return User.IsInRole("Create_Artists");
}
}
This method defaults to always return true
, allowing any user to add new items to the collection.