SUMMARY

How can i limit querying data on an Entity by tenantID or UserID?

DETAILS

I manage the access to specific api with claims.
For example, if i have the claim profile.read the user can call the profile api on get and the purpose is to see his own account details.
But in this way i also allow user to read all data inside profile with simple malicious manipolation of querystring. Is there a way to set default filters in the middleware?
The problem is if someone use postman for example and remove the filter, can read all the table...

VERSIONS USED

• JsonApiDotNetCore version: 5.1.2
• ASP.NET Core version: 6.0

Hi @Andreamarcelli, there's a sample at https://github.com/json-api-dotnet/JsonApiDotNetCore/tree/master/test/JsonApiDotNetCoreTests/IntegrationTests/MultiTenancy that shows how to do that. It uses an EF Core QueryFilter in the DbContext to constrain results to a specific tenant. As can be seen from the test cases, this works for primary/secondary endpoints, included relationships and nested filters, as well as write endpoints with relationships.

If you want to take it a step further and have a separate database per tenant, see https://github.com/json-api-dotnet/JsonApiDotNetCore/tree/master/src/Examples/DatabasePerTenantExample.

Hope this helps.

@Andreamarcelli Do you need this issue to remain open?

Closing due to inactivity. Please let me know if you need this to remain open.