Extending Authorization Policies¶
Virto Commerce supports extendng the existing authorization policies that are defined and checked in the API controllers and other locations. This article will tell you how to use various techniques to extend the authorization policy type without direct code modification.
Click here to view or download our sample code.
Extending Existing Authorization Policies¶
Let's assume below are authorization checks in the Order Module. Additionally, we want to extend the default
OrderAuthorizationHandler that is associated with the
OrderAuthorizationRequirement requirement called during the authorization check with a new policy limiting the resulting orders by their statuses. The purpose is to create a role that enables certain users to see orders only with certain status(es).
public async Task<ActionResult<CustomerOrderSearchResult>> SearchCustomerOrder([FromBody] CustomerOrderSearchCriteria criteria)
var authorizationResult = await _authorizationService.AuthorizeAsync(User, criteria, new OrderAuthorizationRequirement(ModuleConstants.Security.Permissions.Read));
To enable this extension, define a new
CustomOrderAuthorizationHandler class and use the same
OrderAuthorizationRequirement requirement, as it is used in the original controller method for authorization check:
Register your handler in the DI to tell ASP.NET Authorization to call your handler along with others associated with the
CustomOrderAuthorizationHandler along with other registered handlers will be executed each time when
OrderAuthorizationRequirement is checked by this call: