ASP.NET Core MVC Navigation Security Trimming

Question

In ASP.NET Core MVC I would like to hide links in my navigation bar that the user is not authorized to access. Currently the MvcSiteMapProvider that I have used in previous projects does not support ASP.NET Core MVC.

A similar question was asked a couple of years ago and whilst the suggested answer would work it would require repeating the Authorization filter set on a controller/action to ensure links are hidden.

How can this be done and are there any current examples of security trimming in ASP.NET Core MVC?

Answer 1

I have created custom tag helper to handle this.

[HtmlTargetElement(Attributes = "asp-roles")]
public class SecurityTrimmingTagHelper : TagHelper
{
    [ViewContext]
    public ViewContext Context { get; set; }

    [HtmlAttributeName("asp-roles")]
    public string Roles { get; set; }

    /// <summary>
    /// Hides html element if user is not in provided role.
    /// If no role is supplied the html element will be render.
    /// </summary>
    /// <param name="context"></param>
    /// <param name="output"></param>
    public override void Process(TagHelperContext context, TagHelperOutput output)
    {            
        if (!Context.HttpContext.User.Identity.IsAuthenticated)
        {
            output.SuppressOutput();
        }

        if (!string.IsNullOrEmpty(Roles))
        {
            var roles = Roles.Split(',');
            foreach (var role in roles)
            {
                if (!Context.HttpContext.User.IsInRole(role))
                {
                    output.SuppressOutput();
                    return;
                }
            }
        }
    }
}

You can apply this to any html element. If you want to apply it to only specific html element ( lets say <li>) then change the HtmlTargetElement to

[HtmlTargetElement("li",Attributes = "asp-roles")]

then in view you can do

<li asp-roles="Admin"><a href="/Profile/Admin">Admin</a></li>