ansaurus

Question

ASP .NET MVC Securing a Controller/Action

Answer 1

+6 A:

You can create your own custom Authorize attribute, something like "AuthorizeAllExceptAdmin." Within that class you would simply need to check whether or not the current user was an admin, and if they were reject it, otherwise accept it.

Here's a good tutorial, but you'll probably end up with something like:

public class AuthorizeAllExceptAdmin : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return !httpContext.User.IsInRole(Constants.ROLES_ADMINISTRATOR);
    }
}

Then your controller method becomes:

[AuthorizeAllExceptAdmin] 
public ActionResult SomethingOnlyNonAdminsCanDo() 
{ 
}

Here's an example of the custom attribute that takes in roles to deny.

public class DoNotAuthorize : AuthorizeAttribute
{
    private IEnumerable<string> _rolesToReject;

    public DoNotAuthorize(IEnumerable<string> rolesToReject)
    {
        _rolesToReject = rolesToReject;        
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        foreach (var role in _rolesToReject)
        {
            if (httpContext.User.IsInRole(role))
                return false;
        }

        return true;
    }
}

Then your controller method becomes:

[DoNotAuthorize(new [] {Constants.ROLES_ADMINISTRATOR})] 
public ActionResult SomethingOnlyNonAdminsCanDo() 
{ 
}

I would put some thought into it before choosing one of the above options. If you think you'll have several methods (or entire controllers) with similar authorization requirements (i.e, several actions an admin can not perform) then I would stick with the non-parameterized custom attribute. This way, you can evolve them all together (by only changing the custom attribute) later on. For example, maybe later on you want admins to be able to go into a special mode where they can perform these actions.

Alternatively, if the autorization is more varied amongst the actions, then using the parameterized list makes sense, since they'll evolve relatively independently.

manu08 2010-02-19 16:59:53

Any comments; how can I pass multiple parameters to custom attribute? Something like [DoNotAuthorize( role = 'A', role = 'B' )] ?

effkay 2010-02-19 17:29:23

@effkay Yes, you just include those in the constructor for your custom attribute. I'll add an example above.

manu08 2010-02-19 17:44:36

Nice example. using the IEnumerable, similar to my earlier suggestion of IList. That way you can have as many rejected roles as you wish.

Chris F 2010-02-20 16:52:38

Thanks. I generally do use IEnumerable across class boundaries to maintain encapsulation.

manu08 2010-02-21 21:07:06

Answer 2

+3 A:

Besides creating a custom AuthorizeAttribute, suggested by manu, you could use PrincipalPermission, with a Deny-SecurityAction:

[PrincipalPermission(SecurityAction.Deny, Role="Administrator")]

Pbirkoff 2010-02-19 17:04:41

thanks... lemme try!

effkay 2010-02-19 17:08:02

That's a good point. The main reason I would do it with a custom attribute, is to make it easier to maintain later on. For example, if you decide to later reject another role, you would just have to modify your custom attribute, as opposed to modifying every individual method that uses your solution.

manu08 2010-02-19 17:09:11

yes I guess... also, [PrincipalPermission(SecurityAction.Deny, Role="Administrator")] didn't work .....

effkay 2010-02-19 17:12:25

I'd try harder to make this work. Using someone else's debugged, tested, supported code is usually a better choice and lets you get more sleep at night.

No Refunds No Returns 2010-02-19 17:23:39

@effkay, did you substitute "Administrator" with Constants.ROLES_ADMINISTRATOR which I presume is a string that represents the name of your admin role?

Chris F 2010-02-19 17:27:21

@Chris: yup. Constants.ROLES is a string constant containing role name - not the user name.

effkay 2010-02-19 18:17:04

Answer 3

+1 A:

In my app I don't use roles so I have to query the database to determine whether the user has access or not. The benefits of the code below is that you can redirect the user to a certain action very easily. I explained the code in my blog post at http://blog.athe.la/2009/12/implementing-permission-via-windows-authentication-in-asp-mvc-using-action-filters/

public class DatabaseRepository()
{
    private readonly DatabaseDataContext db = new DatabaseDataContext();

    public bool UserHasPermission(string userLogon) {
        return (from permission this.db.Permissions
                where permission.HasPermissionSw == true
                select permission).Contains(userLogon);
    }
}

public class UserHasPermission: ActionFilterAttribute
{
    private readonly DatabaseRepository databaseRepository = new DatabaseRepository();
    private readonly string redirectAction;
    public UserHasPermission(string redirectTo)
    {
        this.redirectAction = redirectTo;
    }

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        string userLogon = filterContext.HttpContext.User.Identity.Name;
        if (!this.databaseRepository.UserHasPermission(userLogon))
        {
            string routeController = filterContext.Controller.ControllerContext.RouteData.Values["controller"];
            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = routeController, action = this.redirectAction }));
        }
    }
}

Your controller would then look something like this:

[UserHasPermission("NoAccess")]
public ActionResult SecretArea()
{
    // run all the logic
    return View();
}

public ActionResult NoAccess()
{
    return View();
}

soniiic 2010-02-19 17:15:32

ansaurus

tags:

views:

answers:

ASP .NET MVC Securing a Controller/Action

related questions