tags:

views:

781

answers:

3
Q: 

How do I restrict access to certain pages in ASP.NET MVC?

Hi folks,

I wish to lock out access to a user's EDIT page (eg. /user/pure.krome/edit) if

a) Identity.IsAuthenticated = false

or they are authenticated but

b) Idenitity.Name != user name of the user page they are trying to edit
c) Identity.UserType() != UserType.Administrator // This is like a Role, without using RoleProviders.

I'm assuming u can decorate a controller or a controller's action method with something(s), but i'm just not sure what?

+1  A: 

Look at the AuthorizeAttribute.

http://stackoverflow.com/questions/532773/asp-net-mvc-can-the-authorizeattribute-be-overriden

Daniel A. White  2009-06-03 13:51:34
+1  A: 

A custom attribute derived from AuthorizeAttribute is what I use to do this. Override the OnAuthorize method and implement your own logic.

public class OnlyUserAuthorizedAttribute : AuthorizeAttribute
{
    public override void OnAuthorize( AuthorizationContext filterContext )
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new HttpUnauthorizeResult();
        }
        ...
    }
}
tvanfosson  2009-06-03 13:53:24
Interesting ... but ... I know I need to substitute my own logic, over yours. But your code only answer's part (a). I can also check for (c). But I have no idea how the code could know what to check for (b). I have the Identity.Name ... but how does this attribute - at that point of time - know what the view data is? or any data in the action method (which i'm assuming hasn't been run, yet .. because attributes get handled first.
Pure.Krome  2009-06-03 14:07:51
The AuthorizationContext parameter includes references to the Controller, HttpContext, ResultContext, RouteData, and Result. You should be able to get all you need from the RouteData. To generalize, add a property to your attribute that allows you to specify the route data key to use for the user's name. You'll have to do the DB stuff to check the user's type independently. You might want to have two constructors: one that takes your database context/layer interface and another that takes no parameters and creates the default database context/layer. Use the former in unit testing.
tvanfosson  2009-06-03 14:14:05
A: 

I implemented the following ActionFilterAttribute and it works to handle both authentication and roles. I am storing roles in my own DB tables like this:

  • User
  • UserRole (contains UserID and RoleID foreign keys)

  • Role

    public class CheckRoleAttribute : ActionFilterAttribute { public string[] AllowedRoles { get; set; }

    public override void OnActionExecuting(ActionExecutingContext filterContext)
{
    string userName = filterContext.HttpContext.User.Identity.Name;



    if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
    if (AllowedRoles.Count() > 0)
    {
        IUserRepository userRepository = new UserRepository();
        User user = userRepository.GetUser(userName);
        bool userAuthorized = false;
        foreach (Role userRole in user.Roles)
        {
            userAuthorized = false;
            foreach (string allowedRole in AllowedRoles)
            {
                if (userRole.Name == allowedRole)
                {
                    userAuthorized = true;
                    break;
                }
            }
        }
        if (userAuthorized == false)
        {
            filterContext.HttpContext.Response.Redirect("/Account/AccessViolation", true);
        }
    }
    else
    {
        filterContext.HttpContext.Response.Redirect("/Account/AccessViolation", true);
    }
}
else
{
    filterContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl + String.Format("?ReturnUrl={0}", filterContext.HttpContext.Request.Url.AbsolutePath), true);
}

    

}

I call this like this...

    [CheckRole(AllowedRoles = new string[] { "admin" })]
    public ActionResult Delete(int id)
    {
        //delete logic here
    }
mikerennick  2009-06-04 14:48:56
In my first line above I meant to say "*authentication* and roles"
mikerennick  2009-06-04 14:49:46
Mikerennick, do you do any caching of users or roles?
Pure.Krome  2009-06-05 10:38:09
I am not using caching -- but I see no reason why the list of roles assigned to a user could not be cached. You could update the cache when changes are made to assigned roles. The above code has no bearing on caching of users, as I am merely looking at httpcontext for the current user.I should also mention that adding a check for allowed users is the same in principle as the check for allowed roles.
mikerennick  2009-06-05 12:33:30

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data