I am trying to configure two policies which can only have one of two claims to enforce a four eyes principle:
services.AddAuthorization(options =>
{
options.AddPolicy("CreditApprover", //An approver is not allowed to review.
policy => policy.RequireAssertion(ctx =>
ctx.User.HasClaim(claim => claim.Value == "CreditLoanApprover") &&
!ctx.User.HasClaim(claim => claim.Value == "CreditLoanReviewer")));
options.AddPolicy("CreditReviewer", //A reviewer is not allowed to approve.
policy => policy.RequireAssertion(ctx =>
!ctx.User.HasClaim(claim => claim.Value == "CreditLoanApprover") &&
ctx.User.HasClaim(claim => claim.Value == "CreditLoanReviewer")));
});
I've added the Authorize attribute to the controller actions:
[Authorize(Policy = "CreditApprover")]
[HttpPost]
public async Task<ActionResult> Approve()
{
// ...
}
[Authorize(Policy = "CreditReviewer")]
[HttpPost]
public async Task<ActionResult> Review()
{
// ...
}
But if I give two different users both claims, they are still able to review their own approvals. I want these users be unable to do so. Should this be possible like this, or do I need to build a custom AuthorizationHandler?
Works as described in the post itself. Probably missed something while configuring my claims during testing.