Events
Power BI DataViz World Championships
Feb 14, 4 PM - Mar 31, 4 PM
With 4 chances to enter, you could win a conference package and make it to the LIVE Grand Finale in Las Vegas
Learn moreView-based authorization in ASP.NET Core MVC
A developer often wants to show, hide, or otherwise modify a UI based on the current user identity. You can access the authorization service within MVC views via dependency injection. To inject the authorization service into a Razor view, use the @inject directive:
CSHTML
@using Microsoft.AspNetCore.Authorization
@inject IAuthorizationService AuthorizationService
If you want the authorization service in every view, place the @inject directive into the _ViewImports.cshtml file of the Views directory. For more information, see Dependency injection into views.
Use the injected authorization service to invoke AuthorizeAsync in exactly the same way you would check during resource-based authorization:
CSHTML
@if ((await AuthorizationService.AuthorizeAsync(User, "PolicyName")).Succeeded)
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
In some cases, the resource will be your view model. Invoke AuthorizeAsync in exactly the same way you would check during resource-based authorization:
CSHTML
@if ((await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit)).Succeeded)
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>
}
In the preceding code, the model is passed as a resource the policy evaluation should take into consideration.
Warning
Don't rely on toggling visibility of your app's UI elements as the sole authorization check. Hiding a UI element may not completely prevent access to its associated controller action. For example, consider the button in the preceding code snippet. A user can invoke the Edit action method if they know the relative resource URL is /Document/Edit/1. For this reason, the Edit action method should perform its own authorization check.
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
ASP.NET Core feedback
ASP.NET Core is an open source project. Select a link to provide feedback:
Additional resources
Training
Module
Secure a .NET web app with the ASP.NET Core Identity framework - Training
Learn how to add authentication and authorization to a .NET web app using the ASP.NET Core Identity framework.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
-
Custom authorization policies with IAuthorizationRequirementData
Learn how to add custom authorization policies with IAuthorizationRequirementData.
-
Resource-based authorization in ASP.NET Core
Learn how to implement resource-based authorization in an ASP.NET Core app when an Authorize attribute won't suffice.
-
Dependency injection in requirement handlers in ASP.NET Core
Learn how to inject authorization requirement handlers into an ASP.NET Core app using dependency injection.
-
Role-based authorization in ASP.NET Core
Learn how to restrict ASP.NET Core controller and action access by passing roles to the Authorize attribute.