c# - Better approach to check users access in Web Api, Service layer, DB -


users assigned 1 or more departments.

users have 1 or more roles instance, read own role can view his/her tasks. while team member role can view , edit others tasks within department he/she assigned to. user role admin can view , edit tasks in system.

due unauthorized access prevention , performance reasons want pass current logged in user id way down database able fetch records he/she has access to.

our system design is:

web api -> business/service layer -> repositories -> db

currently passing user id web api service layer in each method checks instance if user has role team member (who can view/edit other users tasks within departments has access to) , gets departments has access , passed further repositories.

is there better approach avoid passing user id in each method? best place in above design check users access?

we ideally want method without user id parameter able use same classes reporting in application.

any ideas?

use dependency injection inject icurrentuser instance services require user id perform queries , other tasks.

public interface icurrentuser {     int userid { get; } }  public class aspnetcurrentuser : icurrentuser {     public int userid { { return httpcontext.current.user.getuserid<int>(); } } }  public class service : iservice {     private readonly icurrentuser _currentuser;      public service(icurrentuser currentuser)     {         _currentuser = currentuser;     }      public object workwithuserid()     {         return _currentuser.userid;     } } 

Comments

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

openid - Okta: Failed to get authorization code through API call -

ios - Change Storyboard View using Seague -