[RFC] Resource Scoped Permission Implementation

[enif-lee]

Concept API Design

[HttpPost("{id}/issues")]
[CheckResourcePermission("Project",  "WriteIssue"]
[CheckResourceRoles("Project", "Manager", "Admin")]
public async Task<ActionResult> CreateProjectIssueAsync([ResourceId("Project")] [FromRoute] int id, [FromBody] CreateProjectIssueRequest request) 
{
    // Do something
}

// When nested issue case
[HttpPatch("/api/issues/{id}")]
[CheckResourcePermission("Project",  "WriteIssue"]
[CheckResourceRoles("Project", "Manager", "Admin")]
public async Task<ActionResult> CreateProjectIssueAsync([ResourceId("Issue")] [FromRoute] int id, [FromBody] CreateProjectIssueRequest request) 
{}

// Configure Services
service.AddResourceIdProvider<IssueToProjectIdProvider>("Issue", "Project");

public class IssueToProjectIdProvider : IResourceIdProvider
{
    public IssueToProjectIdProvider(Db db) { this.Db = db;    

    public async Task<object> GetResourceIdFromAsync(object resourceId)
    {
        int originId = (int)resourceId;
        var issue = await Db.Issues.FindOneAsync(originId);
        return issue.ProjectId;
    }
}

Considerations

• Allow multiple permissions for one API?
• How to work if there are both permission and role?
• Research elegant and easy, declarative, intuitive API and resource design

References

• Get custom attributes from action filter context
• Get action context from AuthrizationHandler