The Authorize tag helper allows you render blocks of HTML only for users who are authorized based on ASP.NET Core Authorization Roles and Policies. For example, a section of HTML might be rendered only if a user has the Admin role. Since everything is evaluated on the server, this tag helper provides an easy way to ensure that users only see the HTML sections they are supposed to see.
The Authorize tag helper works in the same way as the Authorize filter works for controllers and action Methods. The examples below show some common use cases.
Use this section to login using different username, roles and age to see how the Authorize Tag Helper can be used to hide sections of HTML.
<div asp-authorize class="col-md-4">
<div class="panel panel-default">
<div class="panel-heading">Welcome !!</div>
<div class="panel-body">
If you're logged in, you can see this section
</div>
</div>
</div>
<div asp-authorize asp-roles="Admin" class="col-md-4">
<div class="panel panel-default">
<div class="panel-heading">Admin Section</div>
<div class="panel-body">
Only admin users can see this section. Top secret admin things go here.
</div>
</div>
</div>
<div asp-authorize asp-policy="Seniors" class="col-md-4">
<div class="panel panel-default">
<div class="panel-heading">Seniors Only</div>
<div class="panel-body">
Only users age 65 or older can see this section. Early bird dinner coupons go here. The app has a policy named Seniors which requires a claim of type <i>Age</i> with a value greater than or equal to <i>65</i>.
</div>
</div>
</div>
<div asp-authorize asp-roles="Admin" asp-policy="Seniors" class="col-md-4">
<div class="panel panel-default">
<div class="panel-heading">Admin Seniors Only</div>
<div class="panel-body">
Only users who have both the Admin role AND are age 65 or older can see this section.
</div>
</div>
</div>
Resource based authorization allows you to evaluate policies/requirements for the current user against a particular resource. You can read more about resource authorization here.
The following examples shows the two uses for the Authorize Resource tag helper. First, we evaluate the EditDocument policy for the Edit link. Next, we evalute the Operations.Delete requirement for the Delete link.
| Title | Author | Edit | Delete |
|---|---|---|---|
| County to Pay $250,000 to Advertise Lack of Funds | Joe | ||
| Enfield (London) Couple Slain; Police Suspect Homicide | Jim | ||
| Enraged Cow Injures Farmer with Ax | James | ||
| Juvenile Court to Try Shooting Defendant | Joe | ||
| If Strike Isn't Settled Quickly, It May Last Awhile | Jane | ||
| Utah Poison Control Center Asks People to not Consume Poison | James | ||
| Local High School Dropouts Cut in Half | Joe | ||
| Juvenile Court to Try Shooting Defendant | James | ||
| Federal Agents Find Weapons in Gun Shop Raid | Joe | ||
| Statistics Show Teenage Pregnancy Drops Dramatically After Age 19 | Jim | ||
| Enraged Cow Injures Farmer with Ax | Joe | ||
| New Study of Obesity Looks for Larger Test Group | Jim | ||
| Airplanes Forced to Land at Airports | James | ||
| If Strike Isn't Settled Quickly, It May Last Awhile | Jim | ||
| Astronaut Takes Blame for Gas in Spacecraft | Jim |
<table class="table table-striped">
<thead>
<tr>
<th>Title</th>
<th>Author</th>
<th>Edit</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
@foreach (Document document in ViewBag.Documents)
{
<tr>
<td>@document.Title</td>
<td>@document.Author</td>
<td><a href="#" asp-authorize-resource="document"
asp-policy="EditDocument" class="glyphicon glyphicon-pencil"></a>
</td>
<td><a href="#" asp-authorize-resource="document"
asp-requirement="Operations.Delete" class="glyphicon glyphicon-trash text-danger">
</a></td>
</tr>
}
</tbody>
</table>