Limit access to Entity by Tenant or UserID
Andreamarcelli opened this issue · 3 comments
SUMMARY
How can i limit querying data on an Entity by tenantID or UserID?
DETAILS
I manage the access to specific api with claims.
For example, if i have the claim profile.read the user can call the profile api on get and the purpose is to see his own account details.
But in this way i also allow user to read all data inside profile with simple malicious manipolation of querystring. Is there a way to set default filters in the middleware?
The problem is if someone use postman for example and remove the filter, can read all the table...
VERSIONS USED
- JsonApiDotNetCore version: 5.1.2
- ASP.NET Core version: 6.0
Hi @Andreamarcelli, there's a sample at https://github.com/json-api-dotnet/JsonApiDotNetCore/tree/master/test/JsonApiDotNetCoreTests/IntegrationTests/MultiTenancy that shows how to do that. It uses an EF Core QueryFilter in the DbContext to constrain results to a specific tenant. As can be seen from the test cases, this works for primary/secondary endpoints, included relationships and nested filters, as well as write endpoints with relationships.
If you want to take it a step further and have a separate database per tenant, see https://github.com/json-api-dotnet/JsonApiDotNetCore/tree/master/src/Examples/DatabasePerTenantExample.
Hope this helps.
@Andreamarcelli Do you need this issue to remain open?
Closing due to inactivity. Please let me know if you need this to remain open.