Hello, I'm a starter to Razor/MVC/.net-core. I've made very simple C# apps before with visual studio e.g. Xamarin.
Using Microsoft's Razor tutorials I've been working on making a Razor app with a basic CRUD system for editing/updating student details. I'm just a bit stuck on setting up roles for production now.
This tutorial https://docs.microsoft.com/en-us/aspnet/core/security/authorization/secure-data?view=aspnetcore-2.2 talks about authorization setup with seeded data and on MVC (not using Razor conventions). I'd just like to setup 2 roles: Administrator (full rights) and Reviewer (can view, not edit/delete), and only the homepage/about are accessible without login.
So far I've setup authorization as follows in startup:
services.AddMvc()
.AddRazorPagesOptions(options =>
{
options.Conventions.AuthorizePage("/Students");
options.Conventions.AllowAnonymousToPage("/private/PublicPage");
options.Conventions.AllowAnonymousToFolder("private/PublicPages");
})So you need to be registered to access "Students" directory. That's fine. Now I just don't understand the concept of how roles can be divided in production. For example, say I want to add a new administrator or reviewer, how would I do this when the app is live? Provided that the same database records users (and not an external Azure identity tool).
The only people using this app will be people I always add manually (staff members) and I'll be assigning them Admin/Reviewer role.
And then I just need to know how I can ensure only "edit" and "delete" processes and buttons are available to administrators. In MVC I've seen this done using this snippet above the part of the CS you want accessible to the specified role:
[Authorize(Roles = "Administrator")]
As far as I know, I think this works for MVC but not Razor.
Any suggestions?
Thank you so much.