lmxopcua/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/ClusterAuthorizeView.razor

@* Cluster-scoped counterpart of <AuthorizeView>. Renders Authorized/ChildContent only when the
   signed-in user's effective role for ClusterId meets MinRole; otherwise renders NotAuthorized.
   Effective role combines fleet-wide and cluster-scoped grants — see ClaimsPrincipalClusterExtensions. *@
@using System.Security.Claims
@using ZB.MOM.WW.OtOpcUa.Admin.Security
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums

@if (_authorized)
{
    @(Authorized ?? ChildContent)
}
else
{
    @NotAuthorized
}

@code {
    [CascadingParameter] private Task<AuthenticationState>? AuthState { get; set; }

    /// <summary>Cluster the grant is evaluated against.</summary>
    [Parameter, EditorRequired] public string ClusterId { get; set; } = string.Empty;

    /// <summary>Minimum effective role required to render the authorized content.</summary>
    [Parameter] public AdminRole MinRole { get; set; } = AdminRole.ConfigViewer;

    /// <summary>Content shown when authorized (alias-friendly: use this or <see cref="ChildContent"/>).</summary>
    [Parameter] public RenderFragment? Authorized { get; set; }

    /// <summary>Default content slot — shown when authorized if <see cref="Authorized"/> is unset.</summary>
    [Parameter] public RenderFragment? ChildContent { get; set; }

    /// <summary>Content shown when the user lacks the required role; renders nothing when unset.</summary>
    [Parameter] public RenderFragment? NotAuthorized { get; set; }

    private bool _authorized;

    protected override async Task OnParametersSetAsync()
    {
        _authorized = false;
        if (AuthState is null) return;
        var user = (await AuthState).User;
        _authorized = user.HasClusterRole(ClusterId, MinRole);
    }
}