Wrong totalResourceCount when using resource definition filter

[rachael-ross]

Description

I'm wondering if there is a seam / extensibility point where I can enforce filtering of returned data regardless if it's a primary call for that entity or if it's included with another entity.

For instance, I have an Identifiable of type "Org" and tried filtering the returned entities based upon the user's permissions. Works great, but if I make a primary request of say, UserProfile and include=org, this code doesn't get hit. (AuthorizedRepository<> inherits from EntityFrameworkCoreRepository<>)

 public class OrgRepository : AuthorizedRepository<Org>
    {
              
        public OrgRepository(ITargetedFields targetedFields,
            IDbContextResolver contextResolver,
            IResourceGraph resourceGraph,
            IGenericServiceFactory genericServiceFactory,
            IResourceFactory resourceFactory,
            IEnumerable<IQueryConstraintProvider> constraintProviders,
            ILoggerFactory loggerFactory,
            ICurrentUserAuthorizationService authService
            )
            : base(targetedFields, contextResolver, resourceGraph, genericServiceFactory, resourceFactory, constraintProviders, loggerFactory, authService)       
        {                    
        }

        protected override IQueryable<Org> GetAll()
        {
            var query = base.GetAll();

            var authRestricted = base.HasAccess(Policies.CanGetAllRestricted<Org>()) 
                                                || base.HasAccess(Policies.CanGetByIdRestricted<Org>());

            var authUnrestricted = base.HasAccess(Policies.CanGetAllUnrestricted<Org>()) 
                                                || base.HasAccess(Policies.CanGetByIdUnrestricted<Org>());
            
            if (authRestricted)
            {
                return query.Where(i => i.Id == AuthService.User.OrgId());
            }
            else if (authUnrestricted)
            {
                return query;
            }

            // no auth at all - auth is enforced on controller as well - just extra defensive
            throw new JsonApiException(new Error(HttpStatusCode.Unauthorized)
            {
                Title = "Unauthorized to retrieve Org"
            });
        }
    }

Environment

• JsonApiDotNetCore Version: master branch as of 11/15/20 - was using beta1 nuget, but needed the bug fix for #671
• Other Relevant Package Versions:

[bart-degreed]

Hi @rachael-ross, this is certainly possible.

As you already discovered, the request handling pipeline (controller -> resource service -> repository) is not the best place to do that. Instead you should use a resource definition, which is endpoint agnostic.

In your case, override JsonApiResourceDefinition<Org>.OnApplyFilter(). This executes your filter for all of these endpoints:

1. GET /orgs
2. GET /userProfiles/1/orgs
3. GET /userProfiles?include=orgs

See documentation for details.

[rachael-ross]

Awesome! Will give it a try. Thanks.

[rachael-ross]

@bart-degreed Works beautifully!!!!

There is one issue I found though. I have 8 UserProfiles in the test database and if the current user has restricted access which adds a filter, only one UserProfile is returned. Great... that's expected. However, the totalResources will say "8" because the call to count is being performed first, before the filters are applied. Not sure if there's a workaround for this?

SELECT COUNT(*)
FROM [UserProfiles] AS [u]

Here's my implementation:

public class AuthorizedResourceDefinition<TResource, TId> : JsonApiResourceDefinition<TResource, TId> 
        where TResource : class, IIdentifiable<TId>
    {
        protected ICurrentUserAuthorizationService AuthService { get; set; }

        public AuthorizedResourceDefinition(IResourceGraph resourceGraph,
            ICurrentUserAuthorizationService authService) : base(resourceGraph)
        {
            AuthService = authService;
        }

        protected virtual bool HasAccess(string policyKey, object resource = null)
        {
            return AuthService.AuthorizeAsync(resource, policyKey).GetAwaiter().GetResult().Succeeded;
        }
    }


    public class AuthorizedResourceDefinition<TResource> : AuthorizedResourceDefinition<TResource, int>, IResourceDefinition<TResource>
        where TResource : class, IIdentifiable<int>
    {
        public AuthorizedResourceDefinition(IResourceGraph resourceGraph, ICurrentUserAuthorizationService authService)
              : base(resourceGraph, authService)
        {
        }
    }

 public class UserProfileResourceDefinition : AuthorizedResourceDefinition<UserProfile>
    {        
        public UserProfileResourceDefinition(IResourceGraph resourceGraph, ICurrentUserAuthorizationService authService) 
            : base(resourceGraph, authService)
        { }

        public override FilterExpression OnApplyFilter(FilterExpression existingFilter)
        {
            var authRestricted = HasAccess(Policies.CanGetAllRestricted<UserProfile>())
               || HasAccess(Policies.CanGetByIdRestricted<UserProfile>());

            var authUnrestricted = HasAccess(Policies.CanGetAllUnrestricted<UserProfile>())
                || HasAccess(Policies.CanGetByIdUnrestricted<UserProfile>());

            if (authUnrestricted)
            {
                return base.OnApplyFilter(existingFilter);
            }
            else if (authRestricted)
            {
                var resourceContext = ResourceGraph.GetResourceContext<UserProfile>();
                var orgIdAttribute = resourceContext.Attributes.Single(a => a.Property.Name == nameof(UserProfile.OrgId));

                FilterExpression filterByOrgId = new ComparisonExpression(ComparisonOperator.Equals,
                    new ResourceFieldChainExpression(orgIdAttribute), new LiteralConstantExpression(AuthService.User.OrgId().ToString()));

                return base.OnApplyFilter(
                        existingFilter == null
                        ? filterByOrgId
                        : new LogicalExpression(LogicalOperator.And, new[] { filterByOrgId, existingFilter })
                    );                  
            }        

            // no auth at all - should never get to this point - but being extra defensive
            throw new JsonApiException(new Error(HttpStatusCode.Unauthorized)
            {
                Title = "Unauthorized to retrieve UserProfile"
            });            
        }
    }

BTW... this is the 3rd project in which I've used this library and want to say bravo!! You all have done some truly great work with this! (started with 4.0-alpha)

[bart-degreed]

Thanks for your compliments!

The wrong count looks like a bug. We forget to take your filter into account here.