Hello, I'd like to know the best approach to solve my problems with authorization.
I've got the following non-trivial schema/models (let it be):
Asset * -> 1 Site * -> 1 Company * <- 1 Contact * -> 1 Employee
Site (int Company), Company (bool IsVerified), Contact (bool IsVerified, int Company, int? Employee), Employee, Asset (SiteId)
I'd like to create new Asset that references to Site, so I should be insured that Site belong to current User (employee). As it's imperative authorization I decided to verify it inside Action in the following way:
var valid = _service.IsSiteValid(model.SiteId, CurrentUserId) // will join across tables and select verified organization only by Site and User
if (!valid) return ForbidResult();
but later I've read about Resource-based authorization and got confused
Should I have SiteAuthorizationView (UserId, IsCompanyVerified, IsContactVerified) and authorize it via Resource-based?
var view = _service.GetSiteAuthorizeView(model.SiteId);
var result = await _authorizationService.AuthorizeAsync(User, view, Operations.Read);
if (!result.Succeeded) return new ChallengeResult();
Should Company and Contact verification be separate as Claims-base?
What it is the best way to solve it?