Enhance AdminOnly authorization policy

Refactor the AdminOnly authorization policy to handle cases where a user profile is not found. Instead of throwing a NotFoundException, it now throws a ForbiddenException, ensuring a more appropriate response for unauthorized access attempts. Also introduces PolicyConstants for policy names.
2025-08-11 19:47:12 +02:00 · 2025-08-11 19:47:12 +02:00 · 9ec9139f69
commit 9ec9139f69
parent 1dc37d3282
4 changed files with 22 additions and 3 deletions
--- a/DrinkRateAPI/AuthorizationPolicies/AdminOnlyRequirement.cs
+++ b/DrinkRateAPI/AuthorizationPolicies/AdminOnlyRequirement.cs
@ -1,4 +1,5 @@
 using DrinkRateAPI.DbEntities;
+using DrinkRateAPI.Exceptions;
 using DrinkRateAPI.Services;

 namespace DrinkRateAPI.AuthorizationPolicies;
@ -26,7 +27,16 @@ public class AdminOnlyHandler : AuthorizationHandler<AdminOnlyRequirement>
        AuthorizationHandlerContext context,
        AdminOnlyRequirement requirement)
    {
-        var userProfile = await _applicationUserService.UserProfileByApplicationUserAsync(context.User);
+        DbUserProfile userProfile;
+
+        try
+        {
+            userProfile = await _applicationUserService.UserProfileByApplicationUserAsync(context.User);
+        }
+        catch (NotFoundException _)
+        {
+            throw new ForbiddenException();
+        }

        if (_userProfileService.IsUserProfileAdmin(userProfile))
        {
--- a/DrinkRateAPI/AuthorizationPolicies/PolicyConstants.cs
+++ b/DrinkRateAPI/AuthorizationPolicies/PolicyConstants.cs
@ -0,0 +1,7 @@
+namespace DrinkRateAPI.AuthorizationPolicies;
+
+public static class PolicyConstants
+{
+    public const string AdminOnly = "AdminOnly";
+    
+}
--- a/DrinkRateAPI/Controllers/UserProfileController.cs
+++ b/DrinkRateAPI/Controllers/UserProfileController.cs
@ -1,5 +1,6 @@
 using System.Security.Claims;
 using DrinkRateAPI.ApiModels.UserProfile;
+using DrinkRateAPI.AuthorizationPolicies;
 using DrinkRateAPI.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@ -28,7 +29,7 @@ public class UserProfileController : ControllerBase
    }

    [HttpPut("{userId}/adminStatus")]
-    [Authorize(Policy = "AdminOnly")]
+    [Authorize(Policy = PolicyConstants.AdminOnly)]
    [Produces("application/json")]
    public async Task<IActionResult> PutUserAdminStatus(string userId, [FromBody] UserProfileAdminStatusPut body)
    {
--- a/DrinkRateAPI/Program.cs
+++ b/DrinkRateAPI/Program.cs
@ -15,7 +15,7 @@ builder.Services.AddControllers();
 // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
 builder.Services.AddEndpointsApiExplorer();
 builder.Services.AddAuthorizationBuilder()
-    .AddPolicy("AdminOnly", policy =>
+    .AddPolicy(PolicyConstants.AdminOnly, policy =>
        policy.Requirements.Add(new AdminOnlyRequirement()));
 builder.Services.AddIdentityApiEndpoints<DbApplicationUser>()
    .AddEntityFrameworkStores<ApplicationDbContext>();
@ -58,6 +58,7 @@ builder.Services.AddSwaggerGen(c =>
 builder.Services.AddDbContext<ApplicationDbContext>();
 builder.Services.AddScoped<ApplicationUserService>();
 builder.Services.AddScoped<UserProfileService>();
+builder.Services.AddScoped<ProductTableService>();

 var app = builder.Build();