Class PlatformScopedPermissionGuard
- Namespace
- KadicAuth.Application.Roles.Validation
- Assembly
- KadicAuth.Application.dll
Blocks non-SA callers from assigning platform-scoped permission codes to a tenant role. The check is atomic: any single platform-scoped code in the payload rejects the entire assignment.
Why: the SA endpoints that create/update tenants, plans, modules, etc.
are gated by [RequirePlatformAdmin] at the controller layer.
Without this guard, a malicious tenant admin could still assign those
permission strings to a tenant role and have them surface in a user's
claim set — cosmetically harmless because the controller layer still
rejects, but it would mask role integrity and confuse auditors. This
guard makes the write-side reject the assignment up front.
public static class PlatformScopedPermissionGuard- Inheritance
-
objectPlatformScopedPermissionGuard
Methods
EnsureCanAssignCodes(IEnumerable<string>, bool)
Checks the given permission codes against Permissions.PlatformScoped. If the caller is not a SuperAdmin and any of the codes are platform-scoped, throws System.UnauthorizedAccessException.
public static void EnsureCanAssignCodes(IEnumerable<string> codes, bool callerIsSuperAdmin)Parameters
codesIEnumerable<string>callerIsSuperAdminbool
EnsureCanAssignIdsAsync(IEnumerable<Guid>, bool, IPermissionRepository, CancellationToken)
Convenience for handlers that only know the permission IDs. Resolves them to codes via the repository and delegates to EnsureCanAssignCodes(IEnumerable<string>, bool). IDs that do not resolve are ignored here — the surrounding handler is responsible for reporting unknown IDs.
public static Task EnsureCanAssignIdsAsync(IEnumerable<Guid> permissionIds, bool callerIsSuperAdmin, IPermissionRepository permissionRepository, CancellationToken cancellationToken)Parameters
permissionIdsIEnumerable<Guid>callerIsSuperAdminboolpermissionRepositoryIPermissionRepositorycancellationTokenCancellationToken
Returns
- Task