ASP.NET Web API role based authorization based on route parameter
You could do this with a custom AuthorizeAttribute
, for example:
public class ClubAuthoriseAttribute : System.Web.Http.AuthorizeAttribute
{
protected override bool IsAuthorized(HttpActionContext actionContext)
{
int clubId;
int.TryParse((string) actionContext.ActionArguments["clubId"], out clubId);
if (!UserCanManageClub(clubId))
{
return false;
}
return base.IsAuthorized(actionContext);
}
}
And then use this new attribute instead:
[ClubAuthorise(Roles = "ClubManager")]
[Route("{clubId}")]
public Club GetClub(int clubId)
Note, this is assuming the parameter is named clubId
, but you should have enough here to customise it to your needs.