Restrict access to specific relations OData .NET WebAPI

3
votes

How can one restrict access to data in WebAPI OData?

Lets say I have a Youtube Channel that has videos. Some videos are private, some are restricted to specific users and some are public. How might one go about to ensure that only the allowed users get the data?

Especially when one wants to restrict access to navigation properties and such.

I might have misunderstood some basic principles of OData.

Basically I'm looking for some proven pattern to restrict access to specific data to specific roles and users, and serializing data.

1
c#asp.netsecurityasp.net-web-apiodata

1 Answers

2
votes

The common way to handle this is to use a Query Interceptor. When you request data from a particular entity set in your service, the WCF data service will see that a query interceptor is defined for that particular entity set. Your interceptor is an expression that's executed to filter out and/or restrict values in the returned entity set.

There are also Change Interceptors that can fire for modification operations, too.

Hope this helps.