如何处理保单中相互排斥的索赔以执行四眼原则
How to deal with mutually exclusive claims in policies to enforce four eyes principle
我正在尝试配置两个策略,它们只能有两个声明之一来执行四眼原则:
services.AddAuthorization(options =>
{
options.AddPolicy("CreditApprover", //An approver is not allowed to review.
policy => policy.RequireAssertion(ctx =>
ctx.User.HasClaim(claim => claim.Value == "CreditLoanApprover") &&
!ctx.User.HasClaim(claim => claim.Value == "CreditLoanReviewer")));
options.AddPolicy("CreditReviewer", //A reviewer is not allowed to approve.
policy => policy.RequireAssertion(ctx =>
!ctx.User.HasClaim(claim => claim.Value == "CreditLoanApprover") &&
ctx.User.HasClaim(claim => claim.Value == "CreditLoanReviewer")));
});
我已将 Authorize 属性添加到控制器操作:
[Authorize(Policy = "CreditApprover")]
[HttpPost]
public async Task<ActionResult> Approve()
{
// ...
}
[Authorize(Policy = "CreditReviewer")]
[HttpPost]
public async Task<ActionResult> Review()
{
// ...
}
但是如果我给两个不同的用户两个声明,他们仍然可以审查他们自己的批准。我希望这些用户无法这样做。这应该是可能的,还是我需要构建一个自定义 AuthorizationHandler?
按照 post 本身的描述工作。在测试期间配置我的声明时可能遗漏了一些东西。
我正在尝试配置两个策略,它们只能有两个声明之一来执行四眼原则:
services.AddAuthorization(options =>
{
options.AddPolicy("CreditApprover", //An approver is not allowed to review.
policy => policy.RequireAssertion(ctx =>
ctx.User.HasClaim(claim => claim.Value == "CreditLoanApprover") &&
!ctx.User.HasClaim(claim => claim.Value == "CreditLoanReviewer")));
options.AddPolicy("CreditReviewer", //A reviewer is not allowed to approve.
policy => policy.RequireAssertion(ctx =>
!ctx.User.HasClaim(claim => claim.Value == "CreditLoanApprover") &&
ctx.User.HasClaim(claim => claim.Value == "CreditLoanReviewer")));
});
我已将 Authorize 属性添加到控制器操作:
[Authorize(Policy = "CreditApprover")]
[HttpPost]
public async Task<ActionResult> Approve()
{
// ...
}
[Authorize(Policy = "CreditReviewer")]
[HttpPost]
public async Task<ActionResult> Review()
{
// ...
}
但是如果我给两个不同的用户两个声明,他们仍然可以审查他们自己的批准。我希望这些用户无法这样做。这应该是可能的,还是我需要构建一个自定义 AuthorizationHandler?
按照 post 本身的描述工作。在测试期间配置我的声明时可能遗漏了一些东西。