Topic: Autherisaton filters with not declarative logic
In Web API are available filters where it is possible to check roles or . It exists for a long time and works but how to be in a case when it is declarative rules it is impossible, for example methods public GetProducts () public UpdateProduct (productID int) How to check up in the filter that at the current user are the rights on update a certain product (tell can update a product c id = 123, and others can read only.) or can read only c id> 123. All these rules demand access to a DB for check. Traditionally it becomes directly in a method, i.e. something is added type if (AccessAllowed (productID, userID))... Or select * from Products join UserProducts... It would be desirable to separate logic of safety from business logic, it was possible-whether to somebody?