Conditional User Roles in ASP.NET Core 2.2

Question

I am creating an Issue tracking system ASP.NET Core 2.2 web application which serves to track and manage project creation with following user roles: Anonymous site visitors, logged in User, Administrator, Project Leader and Issue Assignee. A logged in User could be a Project Leader for some projects and in the same time - an issue assignee for some issues from other projects.

How could I implement the user role management so the specific actions for the Project Leader in the ProjectController and for the Issue Assignee in the IssueController could be accessed only by the user which they are assigned to?

Answer 1

The problem you're describing is innerent to the roles approach to security (so has nothing to do with ASP.NET Core). Using it here won't fulfill you're requirements, as you need a 'per instance' based security, that is, to control wich user can perform some actions on each of the different projects and on each of the different issues, so the role of each user is different depending on the context.

So, my recomendation here would be to create a new property called LeaderID on the Project class that would maintain the ID of the user that is the Leader, and then check for equivalence against the current user in each of the controller actions that you want.

The Issues case is a little bit more difficult. If you have only one issue asignee for an issue, then the case is the same as above, just add a property called AsigneeID to the Issue class. If not, you would have to create a new table/entity that holds all the assignees for each of the issues, in a many to many fashion.

Good luck!