I'm creating custom policies for a web api. I assumed that requiring a authenticated user in a policy would prevent other requirements to be ran. I know that adding multiple requirements forces them all the be passed so essentially I see multiple requirements to have a && relationship, but they seem to be more of a & relationship.
var requireUser = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("USER_ID")
.Build();
options.DefaultPolicy = requireUser;
options.AddPolicy("RequireSomeDatabaseProperty",
p => p.Combine(requireUser)
.AddRequirements(new SomeDatabasePropertyRequirement));
I'm finding that the database call will be made. Since it would be based on the USER_ID claim I would probably have to put a guard there anyways, making the requireUser policy totally mute.
Is this the intended usage, or is something else wrong here. Does combine() not work like I think it works?
Is there anyway for me to just end the Authorization process on require user if the user isn't authenticated?
