feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006]

2026-04-15 16:26:30 -03:00
parent cdb8dcd03c
commit 58d0df601f
4 changed files with 358 additions and 0 deletions
--- a/src/api/SIGCM2.Api/Authorization/RequirePermissionAttribute.cs
+++ b/src/api/SIGCM2.Api/Authorization/RequirePermissionAttribute.cs
@@ -0,0 +1,35 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace SIGCM2.Api.Authorization;
+
+/// <summary>
+/// Authorization attribute that requires the authenticated user to have at least ONE
+/// of the declared permission codes assigned to their role (OR semantics).
+/// Implements IAuthorizationRequirementData (.NET 8+) so ASP.NET Core builds the policy
+/// on-the-fly from GetRequirements() — no AddPolicy() registration needed.
+/// </summary>
+/// <example>
+/// // Single permission
+/// [RequirePermission("administracion:usuarios:gestionar")]
+///
+/// // Multiple — OR semantics: any single match grants access
+/// [RequirePermission("ventas:contado:crear", "ventas:ctacte:crear")]
+/// </example>
+[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
+public sealed class RequirePermissionAttribute
+    : AuthorizeAttribute, IAuthorizationRequirement, IAuthorizationRequirementData
+{
+    /// <summary>Permission codes required (OR semantics — at least one must match).</summary>
+    public string[] PermissionCodes { get; }
+
+    public RequirePermissionAttribute(params string[] permissionCodes)
+    {
+        if (permissionCodes is null || permissionCodes.Length == 0)
+            throw new ArgumentException("At least one permission code is required.", nameof(permissionCodes));
+
+        PermissionCodes = permissionCodes;
+    }
+
+    /// <inheritdoc/>
+    public IEnumerable<IAuthorizationRequirement> GetRequirements() => new[] { this };
+}