Authorization

All of an Entity’s Factory Method calls can be Authorized. The authorization is performed by the Neatoo generated Factory before the Entity’s Factory Method is called. An authorization class can be simple or complex. The linking between Factory Methods and Authorization Methods is done using Bitwise operators to be very flexible. A corresponding CanXYZ method is also defined.

Authorization Class Attribute

A seperate Authorization Class is defined that the Factory calls to perform the authorization.

[Authorize<IPersonAuth>]
internal partial class Person : IPerson

The Authorization Class is linked to the Entity by the generic Authorize class attribute. Above IPersonAuth is the Authorization Class for the Person Entity.

If an interface is defined it is treated as a service and the implementation is resolved from the DI container.

Authorize Method Attribute

    [Authorize(AuthorizeOperation.Create)]
    bool HasCreate();

Authorize Methods have an Authorize method attribute to define their AuthorizeOperation. When the FactoryOperation matches the AuthorizeOperation the Authorize method is called.

If an interface is defined on the Entity Class’s Authorize attribute then the Authorize method attributes must be on the interface.

AuthorizedOperation and FactoryOperation Bitwise

The FactoryOperation enum corresponds one-to-one to the Factory Method attributes. The FactoryOperation enum is a bitwise or of AuthorizeOperation enums.

An Authorize Method is called for a Factory Method if the Factory Method attribute’s FactoryOperation is a bitwise or match to the Authorize Method’s AuthorizeOperation enum.

Code Example

Authorization Class:

    [Authorize(AuthorizeOperation.Read | AuthorizeOperation.Write)]
    public bool HasAccess();
    [Authorize(AuthorizeOperation.Create)]
    bool HasCreate();

The following code will be added to the generated Entity Factory’s before the call to the Entity’s Create Factory method:

    IPersonAuth ipersonauth = ServiceProvider.GetRequiredService<IPersonAuth>();
    authorized = ipersonauth.HasAccess();
    if (!authorized.HasAccess)
    {
        return authorized;
    }

    authorized = ipersonauth.HasCreate();
    if (!authorized.HasAccess)
    {
        return authorized;
    }

• The Authorization Class is resolved from the DI container
• IPersonAuth.HasAccess is called because FactoryOperation.Create & (AuthorizeOperation.Read | AuthorizationOperation.Write) != 0
  • Remember, FactoryOperation.Create = AuthorizeOperation.Read | AuthorizeOperation.Create
• IPersonAuth.HasCreate is called because FactoryOperation.Create & (AuthorizeOperation.Create) != 0

Can Method

For each Factory Method defined in the Factory when there is Authorization a “Can” method is created. This is to check ahead of time if the call will be authorized. If unauthorized Create and Fetch will simply return null objects. If unauthorized Save will throw an exception and TrySave will not.