Resource based list authorization ASP.Net Core

Question

I've read microsoft article about resource based authorization with IAuthorizatinService, but it allows to autorize only one resource. For example i have a User class and File class. File has an owner and can be public or not, so the file can be viewed only if its public or the user is owner of this file. I need to display a list of all files for different users, so each user will see all public files and all owned files. In authorization handler i have this:

protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                   OwnerOrPublicRequirement requirement,
                                                   File resource)
    {
        if (resource.IsPublic || context.User.Identity?.Name == resource.Owner)
        {
            context.Succeed(requirement);
        }

        return Task.CompletedTask;
    }

Then in controller i had to do like this:

List<File> authorizedFiles = new List<File>();
                    foreach (var file in _dbContext.Files)
                    {
                        var result = await _authorizationService
                            .AuthorizeAsync(User, file, new OwnerOrPublicRequirement());
                        if (result.Success)
                        {
                            authorizedFiles.Add(file);
                        }
                    }

But it looks ugly cause i have to load all the files from DB and then filter them one by one. What if i have like millions of files and most of them are nor public not owned by user? I will not be able to load all of them and filter like this due to out of memory. I can rewrite it to LINQ query and let DB will do all the job:

var authorizedFiles = _dbContext.Files
                        .Select(f => f)
                        .Where(f.IsPublic || f.User.Identity?.Name == f.Owner)
                        .ToList();

But then i will have two places with code that does same thing, so whenever i need to change authorization logic i have to fix two different parts of code. So what will be the propper way of doing this?

Answer 1

Don't use the custom authorization provider too much extra cost and complexity.

Have one place to get the list of files and let the database do the heavy work of filtering and sorting by filename.

Death by a thousand cuts of having to know dozens/hundreds of special features of the ASP.NET framework costs. Each special knowledge item costs minutes per year to support for you and future developers and adds risk to the project.

Combined together, hundreds of small extra features/specialized knowledge needed, will add man days (months?) to the cost of keeping your production system alive and enhancing it. Microsoft seemed to forget the keep it simple and keeps adding dozens of specialized knowledge needed features with each new version of ASP.NET.

A developer should be able to read the application main program, then trace how each piece of code in the entire application code base is called without needing to know internals/extensibility hell micro-trivia of the ASP.NET framework.