I am building a simple cms in which roles are set dynamically in the admin panel. therefore the existing way of authorizing a controller method - [[Authorize(Roles=”admin”)] for example, is no longer sufficient. The role - action relationship must be stored in the database, so that end users could could easily give/take permissions to others from the admin panel
+1
A:
That is exactly what the ASP.NET membership / profile stuff does for you. And it works with the Authorize attribute.
If you want to roll your own you could create a custom action filter that mimics the behavior of the standard Authorize action filter does. Pseudo code below.
public MyAuthorizeAttribute : ActionFilterAttribute
{
public string MyRole { get; set; }
public void OnActionExecuting(ControllerContext context)
{
if (!(bool)Session["userIsAuthenticated"])
{
throw new AuthenticationException("Must log in.");
}
if (!Session["userRoles"].Contains(MyRole))
{
throw new AuthenticationException("Must have role " + MyRole);
}
}
}
rmacfie
2010-03-07 20:54:22
I'm quite new to that stuff, but I saw an example where the role was specifically assigned in the code, and I DO NOT want that. for example, some client might have a user group called "Engineer" which has specific privileges. I want him to be able to set them up from the admin panel, without touching any piece of code. Right now, I can't see how you can use the standard Authorize attribute for that
2010-03-07 21:00:07
Thanks, I'll check it out
2010-03-07 21:02:55
Well then you'd have to add lookups in your database at some point, maybe match the user and controller/action names with an access rule you have in the DB. Or something like that.
rmacfie
2010-03-07 21:07:24
A:
The role - action relationship must be stored in the database
You will have to check your security within the controller method, unless you want to subclass AuthorizeAttribute so that it looks up the roles from the database for you.
Robert Harvey
2010-03-08 16:58:01
+2
A:
If you want to take control of the authorization process, you should subclass AuthorizeAttribute and override the AuthorizeCore method. Then simply decorate your controllers with your CmsAuthorizeAttribute instead of the default.
public class CmsAuthorizeAttribute : AuthorizeAttribute
{
public override virtual bool AuthorizeCore(HttpContextBase httpContext)
{
IPrincipal user = httpContext.User;
IIdentity identity = user.Identity;
if (!identity.IsAuthenticated) {
return false;
}
bool isAuthorized = true;
// TODO: perform custom authorization against the CMS
return isAuthorized;
}
}
The downside to this is that you won't have access to ctor-injected IoC, so you'll have to request any dependencies from the container directly.
Richard Szalay
2010-03-08 17:06:36
+2
A:
The Solution To the Problem Is mentioned In the following link: http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx You may read more about [CustomAuthorize].
Abhishek
2010-08-09 06:06:18