5
votes

Got help from this article:

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies

I tried to create some policies for my actions , but in some actions I want to have multiple policies , and if user has either of them, they can have access to Actions of controller :

    [Authorize(Policy = "CanAccessMenu1")]
    [Authorize(Policy = "CanAccessMenu2")]
 public async Task<IActionResult> ActionFroMultiplePolicies([FromBody] ActionRequest request)
        {
//..............
}

how can I merge this policies ? can I use something like this?

[Authorize(Policy = "CanAccessMenu1, CanAccessMenu2")]

In this case , maybe I need to have some changes in this override functions. But I dont have any idea about that :

Protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, CanAccessRequirement requirement)
        {
        }

Thanks for any help

1

1 Answers

-2
votes

Not the way you want; policies are designed to be cumulative. For example if you use two separate attributes then they must both pass.

You have to evaluate OR conditions within a single policy. But you don't have to code it as ORs within a single handler. You can have a requirement which has more than one handler. If either of the handlers flag success then the requirement is fulfilled. See Step 6 in blowdart's Authoriation Workshop.