The core of this question resides in how to pass/consume user information to a Service Layer used within an ASP.NET Core 5 WebApi application?
I can either use the IHttpContextAccessor in the Service Layer and allow it to look for claims about the user that it can use to "trim" the result set to only items that the user has access to view. But this couples the Service Layer to HTTP clients and working with claims in Service Layer feels unnatural for some reason.
--or--
I would need to allow the optional passing of user info directly to the Service Layer through Method parameters. The reason it's optional is because some users can see everything and the caller has this control.
Task<List<MyModel>> GetListAsync(string email = null);
Task<List<MyModel>> GetListAsync(string filter, string email = null);
Task<List<MyModel>> GetListAsync(Status status, string filter, string email = null);
--or--
Create separate method calls, one for security trimming and the other for all items.
Would like some guidance from community on pros/cons of these or different patterns. thx
Aucun commentaire:
Enregistrer un commentaire