Skip to content
Last update: October 3, 2022

Extending Authorizarion Policies

Virto Commerce supports extendng the existing authorization policies that are defined and checked in the API controllers and other locations. This article will tell you how to use various techniques to extend the authorization policy type without direct code modification.

Click here to view or download our sample code.

Extending Existing Authorization Policies

Let's assume we have the below authorization checks in the Order Module. Additionally, we want to extend the default OrderAuthorizationHandler that is associated with the OrderAuthorizationRequirement requirement called during the authorization check with a new policy limiting the resulting orders by their statuses. The purpose is to create a role that enables specific users to see orders only with specific status(es).

You can read more about how authorization policies work here.

OrderModuleController.cs
[HttpPost]
[Route("api/order/customerOrders/search")]
 public async Task<ActionResult<CustomerOrderSearchResult>> SearchCustomerOrder([FromBody] CustomerOrderSearchCriteria criteria)
        {
            var authorizationResult = await _authorizationService.AuthorizeAsync(User, criteria, new OrderAuthorizationRequirement(ModuleConstants.Security.Permissions.Read));
            if (!authorizationResult.Succeeded)
            {
                return Unauthorized();
            }
        }

In order to enable this extension, you need to define a new CustomOrderAuthorizationHandler class and use the same OrderAuthorizationRequirement requirement, as it is used in the original controller method for authorization check.

CustomOrderAuthorizationHandler.cs
 public sealed class CustomOrderAuthorizationHandler : PermissionAuthorizationHandlerBase<OrderAuthorizationRequirement>
    {
        //Code skipped for better clarity
    }

The next step is registering your handler in the DI to tell ASP.NET Authorization to call your handler along with others associated with the OrderAuthorizationRequirement requirement:

Module.cs
 public class Module : IModule
    {
        public void Initialize(IServiceCollection serviceCollection)
        {
            //Rest of code skipped for better clarity 
            serviceCollection.AddTransient<IAuthorizationHandler, CustomOrderAuthorizationHandler>();

        }
    }

After this point, the custom CustomOrderAuthorizationHandler along with other registered handlers will be executed each time when OrderAuthorizationRequirement is checked by this call: 

IAuthorizationService.AuthorizeAsync(User, data, new OrderAuthorizationRequirement());

Additional Resources

You can also check out how to handle secure Web API here.