How would you implement authorization business logic?

[BennieCopeland]

For example, if the user should only be able to view their own courses, how do you pass their identity back to the command or query handler? Do you just append it to the command/query prior to calling the handler like so?

public ViewResult Index(Index.Query query)
{
    query.UserId = User.Identity.Name;

    var model = _mediator.Send(query);

    return View(model);
}

My current use case is that a user has a Scope property that denotes the highest level of organizational data they can access. This is a hierarchical structure going from Enterprise > Region > Site. If they have enterprise, they can filter on any site, if they only have Region 1, they can only filter on sites under Region 1, if it is Site 3, only Site 3 data is available.

[ghost]

Hi @BennieCopeland what do you think about use a custom model binder for this: https://goo.gl/a80ehp & https://goo.gl/LVOVoi

Add the property model binder attribute to the UserId:

public class Index
{
    public class Query : IRequest<Model>
    {
        [PropertyModelBinder(typeof(UserNameModelBinder))]
        public string UserId {get; set;}
    }
}

The controller action:

public ViewResult Index(Index.Query query)
{
    var model = _mediator.Send(query);

    return View(model);
}

And your current use case is a another query implementation.