Stephen Brannan - 62 - Sep 9, 2014

Is there a best practice on using the Role based authorization in ServieStack? Let me try and explain…

I have user Bob who is in the Admin role. I also have the user Jim who is in the Editor role. Bob as an admin is also an editor because the Admin role has the same access control as an editor and additional admin control. How do you represent this implicit authorization in ServiceStack?  Do I add RequiredRole(“Admin”, “Editor”) to the service or do I add RequiredRole(“Editor”) and put Bob in the Admin role as well as the Editor role? I would prefer the first choice if it’s easily accomplished in ServiceStack.

Stephen Brannan:

I think I might know my own answer here. I guess I have to override the HasRole method in the UserAuthSession. If there’s a better way I’m open to other ideas.

Required Roles takes a collection of all the required roles required for the service so the correct way would be add Bob to both roles.

For overriding AuthRoles you can either override AuthUserSession or override the IManageRoles API methods ( by subclassing your AuthRepository.

Stephen Brannan:

Thanks Demis! I think for my purposes overriding it in the AuthUserSession will work best since I’m already using the OrmLiteAuthRepository.