what is Internal working of Authorize attribute in mvc - asp.net-mvc

How does the AuthorizeAttribute work?
[Authorize]
public ActionResult AuthenticatedUsers()
{
return View();
}
[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
return View();
}

It like be a Session
[Authorize] means if allow all authenticated users
[Authorize(Roles = "Admin, Super User")] means if allow only roles person
for example admin see everything in page, but same page user see some content.

Related

Is it possible to have this kind of role-based authorization?

I'm setting up a role-based authorization in my ASP.NET MVC Web application and I need help with role authorization attributes at different levels.
I've read about it from this article and saw that it is possible to have limits like in this example code:
[Authorize(Roles = "Administrator, User")]
public class MyController : Controller
{
public ActionResult SetAction1()
{
}
[Authorize(Roles = "Administrator")]
public ActionResult SetAction2()
{
}
}
Is it possible to have this kind of role authorization?
[Authorize(Roles = "Administrator")]
public class ControlPanelController : Controller
{
public ActionResult SetAction1()
{
}
[Authorize(Roles = "Administrator, User")]
public ActionResult SetAction2()
{
}
}
Nope;
When you set [Authorize(Roles = "Administrator")] on controller, then Only
an Administrator can pass the authorization and User role will be prevented. So, User will never reach to that level. But if one user have both Administrator and User role at the same time then S/he will pass it.

How do I skip the authorization for a specic user agent using asp.net MVC?

SO. I have an Action method in a controller as here below:
[Authorize]
public ActionResult ToDo()
{
//Do some stuff
return View();
}
I would like to allow facebook crawler access the content of the razor view for ToDo action method. How is that possible? Your thoughts.
create two action with same name but overload that for example
[Authorize]
[Route("Home/Index/{status:boolean}")]
Public ActionResult Index(bool status)
{
}
[Route("Home/Index/{id:int}")]
Public ActionResult Index(int id)
{
}
and you can create customeActionInvoker

ASP.NET MVC Authorization Filter

If I register a global Authorize attribute in FilterConfig.cs so that each action method can only be accessible to authenticated users, and decorate some controllers with [Authorize(Role="Admin")] so that only admin users can access them, does authorization logic run twice on these controllers? What can I do to prevent that?
You can use an ASP.NET MVC "FilterProvider" provider. What this will do is help you to fetch all relevant filters from a specific controller and action.
So you can define your own provider and register that one instead of the default ones. this will give you full control over the asp.net filters and you can remove some filters based on your requirement.
Lets say we have following Controller.
[Authorize]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult Whatever()
{
return View();
}
}
I think you are looking a way to do something as follows. concentrate on Index Action
[Authorize]
public class HomeController : Controller
{
[ExcludeFilter(typeof(AuthorizeAttribute))] // Excluding Authorize Important !
public ActionResult Index()
{
return View();
}
public ActionResult Admin() // will follow the declared authorize Attribute
{
return View();
}
}
If thats what you are Looking for then see this Article

Attribute for only allow anonymous in ASP.Net MVC

I know that there is an attribute when a user must be authorize or not. You can also place [AllowAnonymous] above it. See also code below:
[Authorize] // only when the user is authorize
public class AccountController : Controller
{
[HttpGet]
[AllowAnonymous] // also when the user in not authorize.
public ActionResult Login(string returnUrl = "")
{ /* Some code */ }
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{ /* Some code */ }
}
But is there also an attribute for allow anonymous only. For example: a login page only show when the user is not authorize?
I don't think there's an existing one, but there's no reason you can't roll your own. However, I would point out that it seems odd that you'd go to the extra effort to restrict content to an authenticated user:
public class AnonymousOnly : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
// Do what you want to do here, e.g. show a 404 or redirect
}
}
}
Then just decorate your class/method with this new attribute:
[AnonymousOnly]
public ActionResult Login(string returnUrl = "")
{
// code
}

What is the correct way of rendering a view?

I am trying to create an MVC 4 ASP.net site. As I am new to programming I would like to know what is the correct way of rendering a view based on if a user is logged in or not.
My Code: I am trying to restrict a user from going to the Index, About and Contact pages. It will only go to those pages(views) if the user is Logged In. My question is, "Is this the right way of doing it or is this wrong? Is there a more secure, effective, and acceptable way of doing this?"
Please let me know if there is. Thank You
public class HomeController : Controller
{
public ActionResult Index()
{
if (User.Identity.IsAuthenticated)
{
return View();
}
return RedirectToRoute(new { controller = "Account", action = "Login" });
}
public ActionResult About()
{
if (User.Identity.IsAuthenticated)
{
ViewBag.Message = "Your app description page.";
return View();
}
return RedirectToRoute(new { controller = "Account", action = "Login" });
}
public ActionResult Contact()
{
if (User.Identity.IsAuthenticated)
{
ViewBag.Message = "Your contact page.";
return View();
}
return RedirectToRoute(new { controller = "Account", action = "Login" });
}
The Authorize attribute lets you indicate that authorization is restricted to predefined roles or to individual users.
This gives you a high degree of control over who is authorized to view any page on the site.
If an unauthorized user tries to access a method that is marked with the Authorize attribute, the MVC framework returns a 401 HTTP status code.
If the site is configured to use ASP.NET forms authentication, the 401 status code causes the browser to redirect the user to the login page.
You can use [Authorize] on your controller if all the methods require login as below:
[Authorize]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult About()
{
ViewBag.Message = "Your app description page.";
return View();
}
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
You can also put the attribute on certain methods if required instead of putting on the controller itself. For example, if you want the user to login for Index() method only then you could do it as below:
public class HomeController : Controller
{
[Authorize]
public ActionResult Index()
{ 
   return View();      
}
}
The common way for this case is usage of [Authorize] (AuthorizeAttribute)
You may add it to specific Actions or whole Controller. It either supports specific users restrictions and Roles as well.
You may start with default MVC solution from Visual Studio, which will create all basic functionality based on SimpleMembership provider.
You may refer to NerdDinner project for full explanation: http://nerddinnerbook.s3.amazonaws.com/Part9.htm.

Resources