feat: Update authorization policies for map rotations and enhance resource-based policy checks

frasermolyneux · frasermolyneux · commit 2b2d9f453b3d · 2026-04-13T13:20:12.000+01:00
diff --git a/src/XtremeIdiots.Portal.Web/ApiControllers/MapsController.cs b/src/XtremeIdiots.Portal.Web/ApiControllers/MapsController.cs
@@ -13,7 +13,7 @@ namespace XtremeIdiots.Portal.Web.ApiControllers;
 /// <summary>
 /// API controller for maps data operations
 /// </summary>
-[Authorize(Policy = AuthPolicies.AccessMaps)]
+[Authorize(Policy = AuthPolicies.AccessMapRotations)]
 [Route("Maps")]
 public class MapsController(
     IRepositoryApiClient repositoryApiClient,
diff --git a/src/XtremeIdiots.Portal.Web/Controllers/MapsController.cs b/src/XtremeIdiots.Portal.Web/Controllers/MapsController.cs
@@ -18,7 +18,7 @@ namespace XtremeIdiots.Portal.Web.Controllers;
 /// <param name="telemetryClient">Client for tracking telemetry data</param>
 /// <param name="logger">Logger instance for this controller</param>
 /// <param name="configuration">Application configuration</param>
-[Authorize(Policy = AuthPolicies.AccessMaps)]
+[Authorize(Policy = AuthPolicies.AccessMapRotations)]
 public class MapsController(
     IRepositoryApiClient repositoryApiClient,
     TelemetryClient telemetryClient,
diff --git a/src/XtremeIdiots.Portal.Web/Helpers/PolicyTagHelper.cs b/src/XtremeIdiots.Portal.Web/Helpers/PolicyTagHelper.cs
@@ -12,9 +12,19 @@ public class PolicyTagHelper(IAuthorizationService authService, IHttpContextAcce
 
     public required string Policy { get; set; }
 
+    /// <summary>
+    /// Optional resource to pass to the authorization handler for resource-based policy checks.
+    /// When provided, enables handlers that require a resource (e.g., GameType) to evaluate correctly.
+    /// </summary>
+    public object? PolicyResource { get; set; }
+
     public async override Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
     {
-        if (!(await authService.AuthorizeAsync(principal, Policy).ConfigureAwait(false)).Succeeded)
+        var result = PolicyResource != null
+            ? await authService.AuthorizeAsync(principal, PolicyResource, Policy).ConfigureAwait(false)
+            : await authService.AuthorizeAsync(principal, Policy).ConfigureAwait(false);
+
+        if (!result.Succeeded)
             output.SuppressOutput();
     }
 }
diff --git a/src/XtremeIdiots.Portal.Web/Views/MapRotations/AssignmentStatus.cshtml b/src/XtremeIdiots.Portal.Web/Views/MapRotations/AssignmentStatus.cshtml
@@ -18,10 +18,10 @@
                     <a asp-action="Details" asp-route-id="@Model.Rotation.MapRotationId" class="btn btn-outline-secondary btn-sm">
                         <i class="fa-solid fa-fw fa-arrow-left"></i> Back to @Model.Rotation.Title
                     </a>
-                    <a policy="@AuthPolicies.ManageMapRotations" asp-action="EditAssignment" asp-route-id="@Model.Assignment.MapRotationServerAssignmentId" class="btn btn-outline-primary btn-sm">
+                    <a policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="EditAssignment" asp-route-id="@Model.Assignment.MapRotationServerAssignmentId" class="btn btn-outline-primary btn-sm">
                         <i class="fa-solid fa-fw fa-edit"></i> Edit Assignment
                     </a>
-                    <a policy="@AuthPolicies.ManageMaps" asp-controller="MapManager" asp-action="Manage" asp-route-id="@Model.Assignment.GameServerId" class="btn btn-outline-secondary btn-sm">
+                    <a policy="@AuthPolicies.ManageMaps" policy-resource="@Model.Rotation.GameType" asp-controller="MapManager" asp-action="Manage" asp-route-id="@Model.Assignment.GameServerId" class="btn btn-outline-secondary btn-sm">
                         <i class="fa-solid fa-fw fa-hard-drive"></i> Manage Server Maps
                     </a>
                 </div>
@@ -101,7 +101,7 @@
                         <div class="mt-3">
                             @if (Model.Assignment.DeploymentState == DeploymentState.Pending || Model.Assignment.DeploymentState == DeploymentState.Failed)
                             {
-                                <form policy="@AuthPolicies.ManageMapRotations" asp-action="SyncAssignment" method="post" class="d-inline">
+                                <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="SyncAssignment" method="post" class="d-inline">
                                     @Html.AntiForgeryToken()
                                     <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
                                     <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -112,7 +112,7 @@
                             }
                             @if (Model.IsStale && Model.Assignment.DeploymentState == DeploymentState.Synced)
                             {
-                                <form policy="@AuthPolicies.ManageMapRotations" asp-action="SyncAssignment" method="post" class="d-inline">
+                                <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="SyncAssignment" method="post" class="d-inline">
                                     @Html.AntiForgeryToken()
                                     <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
                                     <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -123,7 +123,7 @@
                             }
                             @if (Model.Assignment.DeploymentState == DeploymentState.Synced && !Model.IsStale && !string.IsNullOrEmpty(Model.Assignment.ConfigFilePath) && Model.Assignment.ActivationState != ActivationState.Active)
                             {
-                                <form policy="@AuthPolicies.ManageMapRotations" asp-action="ActivateAssignment" method="post" class="d-inline">
+                                <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="ActivateAssignment" method="post" class="d-inline">
                                     @Html.AntiForgeryToken()
                                     <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
                                     <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -134,7 +134,7 @@
                             }
                             @if (Model.Assignment.ActivationState == ActivationState.Active)
                             {
-                                <form policy="@AuthPolicies.ManageMapRotations" asp-action="DeactivateAssignment" method="post" class="d-inline">
+                                <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="DeactivateAssignment" method="post" class="d-inline">
                                     @Html.AntiForgeryToken()
                                     <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
                                     <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -145,7 +145,7 @@
                             }
                             @if (Model.Assignment.DeploymentState == DeploymentState.Synced)
                             {
-                                <form policy="@AuthPolicies.ManageMapRotations" asp-action="VerifyAssignment" method="post" class="d-inline">
+                                <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="VerifyAssignment" method="post" class="d-inline">
                                     @Html.AntiForgeryToken()
                                     <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
                                     <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -156,7 +156,7 @@
                             }
                             @if (Model.Assignment.DeploymentState is not DeploymentState.Removing)
                             {
-                                <form policy="@AuthPolicies.ManageMapRotations" asp-action="DeleteAssignment" method="post" class="d-inline">
+                                <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="DeleteAssignment" method="post" class="d-inline">
                                     @Html.AntiForgeryToken()
                                     <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
                                     <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -290,7 +290,7 @@
                                                 <td>
                                                     @if (isInProgress)
                                                     {
-                                                        <form policy="@AuthPolicies.ManageMapRotations" asp-action="CancelOperation" method="post" class="d-inline">
+                                                        <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="CancelOperation" method="post" class="d-inline">
                                                             @Html.AntiForgeryToken()
                                                             <input type="hidden" name="operationId" value="@op.MapRotationAssignmentOperationId" />
                                                             <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
@@ -302,7 +302,7 @@
                                                     }
                                                     @if (op.Status is AssignmentOperationStatus.Cancelled or AssignmentOperationStatus.Failed && !string.IsNullOrEmpty(op.DurableFunctionInstanceId))
                                                     {
-                                                        <form policy="@AuthPolicies.ManageMapRotations" asp-action="TerminateOrchestration" method="post" class="d-inline">
+                                                        <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="TerminateOrchestration" method="post" class="d-inline">
                                                             @Html.AntiForgeryToken()
                                                             <input type="hidden" name="instanceId" value="@op.DurableFunctionInstanceId" />
                                                             <input type="hidden" name="assignmentId" value="@Model.Assignment.MapRotationServerAssignmentId" />
diff --git a/src/XtremeIdiots.Portal.Web/Views/MapRotations/Details.cshtml b/src/XtremeIdiots.Portal.Web/Views/MapRotations/Details.cshtml
@@ -37,13 +37,13 @@
                             {
                                 <span class="badge bg-outline-secondary">@Model.Rotation.Category</span>
                             }
-                            <a policy="@AuthPolicies.CreateMapRotation" asp-action="Clone" asp-route-id="@Model.Rotation.MapRotationId" class="btn btn-outline-secondary btn-sm">
+                            <a policy="@AuthPolicies.CreateMapRotation" policy-resource="@Model.Rotation.GameType" asp-action="Clone" asp-route-id="@Model.Rotation.MapRotationId" class="btn btn-outline-secondary btn-sm">
                                 <i class="fa-solid fa-fw fa-clone"></i> Clone
                             </a>
-                            <a policy="@AuthPolicies.EditMapRotation" asp-action="Edit" asp-route-id="@Model.Rotation.MapRotationId" class="btn btn-outline-primary btn-sm">
+                            <a policy="@AuthPolicies.EditMapRotation" policy-resource="@Model.Rotation.GameType" asp-action="Edit" asp-route-id="@Model.Rotation.MapRotationId" class="btn btn-outline-primary btn-sm">
                                 <i class="fa-solid fa-fw fa-pen-to-square"></i> Edit
                             </a>
-                            <form policy="@AuthPolicies.DeleteMapRotation" asp-action="Delete" asp-route-id="@Model.Rotation.MapRotationId" method="post" class="d-inline">
+                            <form policy="@AuthPolicies.DeleteMapRotation" policy-resource="@Model.Rotation.GameType" asp-action="Delete" asp-route-id="@Model.Rotation.MapRotationId" method="post" class="d-inline">
                                 @Html.AntiForgeryToken()
                                 <button type="submit" class="btn btn-outline-danger btn-sm" data-confirm="Are you sure you want to delete this map rotation? This cannot be undone.">
                                     <i class="fa-solid fa-fw fa-trash"></i> Delete
@@ -157,7 +157,7 @@
                     <div class="ibox-title">
                         <h5>Server Assignments (@(Model.Rotation.ServerAssignments?.Count ?? 0))</h5>
                         <div class="ibox-tools">
-                            <a policy="@AuthPolicies.ManageMapRotations" asp-action="CreateAssignment" asp-route-mapRotationId="@Model.Rotation.MapRotationId" class="btn btn-outline-primary btn-sm">
+                            <a policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="CreateAssignment" asp-route-mapRotationId="@Model.Rotation.MapRotationId" class="btn btn-outline-primary btn-sm">
                                 <i class="fa-solid fa-fw fa-plus"></i> Assign to Server
                             </a>
                         </div>
@@ -243,15 +243,15 @@
                                                     <a asp-action="AssignmentStatus" asp-route-id="@assignment.MapRotationServerAssignmentId" class="btn btn-outline-secondary btn-sm me-1">
                                                         <i class="fa-solid fa-fw fa-eye"></i> Status
                                                     </a>
-                                                    <a policy="@AuthPolicies.ManageMapRotations" asp-action="EditAssignment" asp-route-id="@assignment.MapRotationServerAssignmentId" class="btn btn-outline-secondary btn-sm me-1">
+                                                    <a policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="EditAssignment" asp-route-id="@assignment.MapRotationServerAssignmentId" class="btn btn-outline-secondary btn-sm me-1">
                                                         <i class="fa-solid fa-fw fa-edit"></i> Edit
                                                     </a>
-                                                    <a policy="@AuthPolicies.ManageMaps" asp-controller="MapManager" asp-action="Manage" asp-route-id="@assignment.GameServerId" class="btn btn-outline-secondary btn-sm me-1" title="Manage maps on this server">
+                                                    <a policy="@AuthPolicies.ManageMaps" policy-resource="@Model.Rotation.GameType" asp-controller="MapManager" asp-action="Manage" asp-route-id="@assignment.GameServerId" class="btn btn-outline-secondary btn-sm me-1" title="Manage maps on this server">
                                                         <i class="fa-solid fa-fw fa-hard-drive"></i> Maps
                                                     </a>
                                                     @if (assignment.DeploymentState == DeploymentState.Pending || assignment.DeploymentState == DeploymentState.Failed)
                                                     {
-                                                        <form policy="@AuthPolicies.ManageMapRotations" asp-action="SyncAssignment" method="post" class="d-inline">
+                                                        <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="SyncAssignment" method="post" class="d-inline">
                                                             @Html.AntiForgeryToken()
                                                             <input type="hidden" name="assignmentId" value="@assignment.MapRotationServerAssignmentId" />
                                                             <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -262,7 +262,7 @@
                                                     }
                                                     @if (isStale && assignment.DeploymentState == DeploymentState.Synced)
                                                     {
-                                                        <form policy="@AuthPolicies.ManageMapRotations" asp-action="SyncAssignment" method="post" class="d-inline">
+                                                        <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="SyncAssignment" method="post" class="d-inline">
                                                             @Html.AntiForgeryToken()
                                                             <input type="hidden" name="assignmentId" value="@assignment.MapRotationServerAssignmentId" />
                                                             <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -273,7 +273,7 @@
                                                     }
                                                     @if (assignment.DeploymentState == DeploymentState.Synced && !isStale && !string.IsNullOrEmpty(assignment.ConfigFilePath) && assignment.ActivationState != ActivationState.Active)
                                                     {
-                                                        <form policy="@AuthPolicies.ManageMapRotations" asp-action="ActivateAssignment" method="post" class="d-inline">
+                                                        <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="ActivateAssignment" method="post" class="d-inline">
                                                             @Html.AntiForgeryToken()
                                                             <input type="hidden" name="assignmentId" value="@assignment.MapRotationServerAssignmentId" />
                                                             <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -284,7 +284,7 @@
                                                     }
                                                     @if (assignment.ActivationState == ActivationState.Active)
                                                     {
-                                                        <form policy="@AuthPolicies.ManageMapRotations" asp-action="DeactivateAssignment" method="post" class="d-inline">
+                                                        <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="DeactivateAssignment" method="post" class="d-inline">
                                                             @Html.AntiForgeryToken()
                                                             <input type="hidden" name="assignmentId" value="@assignment.MapRotationServerAssignmentId" />
                                                             <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
@@ -293,7 +293,7 @@
                                                             </button>
                                                         </form>
                                                     }
-                                                    <form policy="@AuthPolicies.ManageMapRotations" asp-action="DeleteAssignment" method="post" class="d-inline">
+                                                    <form policy="@AuthPolicies.ManageMapRotations" policy-resource="@Model.Rotation.GameType" asp-action="DeleteAssignment" method="post" class="d-inline">
                                                         @Html.AntiForgeryToken()
                                                         <input type="hidden" name="assignmentId" value="@assignment.MapRotationServerAssignmentId" />
                                                         <input type="hidden" name="mapRotationId" value="@Model.Rotation.MapRotationId" />
diff --git a/src/XtremeIdiots.Portal.Web/Views/MapRotations/Index.cshtml b/src/XtremeIdiots.Portal.Web/Views/MapRotations/Index.cshtml
diff --git a/src/XtremeIdiots.Portal.Web/Views/Shared/_Navigation.cshtml b/src/XtremeIdiots.Portal.Web/Views/Shared/_Navigation.cshtml

Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,19 @@ public class PolicyTagHelper(IAuthorizationService authService, IHttpContextAcce`
`12`	`12`
`13`	`13`	`public required string Policy { get; set; }`
`14`	`14`
	`15`	`+ /// <summary>`
	`16`	`+ /// Optional resource to pass to the authorization handler for resource-based policy checks.`
	`17`	`+ /// When provided, enables handlers that require a resource (e.g., GameType) to evaluate correctly.`
	`18`	`+ /// </summary>`
	`19`	`+ public object? PolicyResource { get; set; }`
	`20`	`+`
`15`	`21`	`public async override Task ProcessAsync(TagHelperContext context, TagHelperOutput output)`
`16`	`22`	`{`
`17`		`- if (!(await authService.AuthorizeAsync(principal, Policy).ConfigureAwait(false)).Succeeded)`
	`23`	`+ var result = PolicyResource != null`
	`24`	`+ ? await authService.AuthorizeAsync(principal, PolicyResource, Policy).ConfigureAwait(false)`
	`25`	`+ : await authService.AuthorizeAsync(principal, Policy).ConfigureAwait(false);`
	`26`	`+`
	`27`	`+ if (!result.Succeeded)`
`18`	`28`	`output.SuppressOutput();`
`19`	`29`	`}`
`20`	`30`	`}`