In ASP.NET MVC, we can assign multiple roles in AuthorizeAttribute. I'm currently using Fluent Security. The documentation says RequireRolePolicy can support one or more roles.
I want to do the code below:
configuration.For<MyController>(x => x.Index()).RequireRole("Administrator, Editor");
but it seems that it only checks one role. How to assign multiple roles to it?
Ok I got it now.
configuration.For<MyController>(x => x.Index()).RequireAllRolesPolicy("Administrator", "Editor");
Related
Currently I'm doing a check :
#if(this.User.Identity.Name=="DOMAIN\\USERID"){
This works great but I'd like to have multiple users(2-3) to check for. I'd also like to not have it hard coded. Is there a way to do this in the web.config or in a database?
You could add a list in the config...User1,User2 etc and then use linq and .Any() against this list?
var users = "user1,user2,user3".Split(','); //list will come from your config
bool result = users.Any(u => u == this.User.Identity.Name);
Also, since you're using MVC, if you want to use authorization for controllers etc, you can use the [Authorize] attribute. See this SO link too Authorize attribute in ASP.NET MVC
Maybe use roles instead then add the relevant users to that role? This would make it easier to expand on in the future, plus you don't have to hard code a list of users.
Just curious what would be the best way to do this?
used to using
if (User.IsInRole("Administrator"))
with an older program of mine,
Using the new Kendo templete( new to me ) for MVC4-VS2012 Projects it created everything w/o simplemembership, so i wrote my own login system with help of some youtube videos and documentations.
It is very flexible and works, just curious on how I can check if a user is in a Roll Via A view ( like if (User.IsInRole("Administrator")) ) would have done. And or the best way to do so ( possibly in controller )
You can continue to use User.IsInRole(""), you simply need to set HttpContext.User with the correct principal that has a list of roles.
You can create your own Authorization Attribute that would take care of this:
var websiteRoles = userRepo.GetRoles(HttpContext.User.Identity.Name);
var identity = filterContext.HttpContext.User.Identity as FormsIdentity;
filterContext.HttpContext.User = new System.Security.Principal.GenericPrincipal(identity, websiteRoles.ToArray());
Follow up:
Your GetRoles() method can be implemented any way you like, you simply need to have a list of roles that the user belongs to. You will use this list to create the Principal object to set the User to.
Using this approach will allow you to use User.IsInRole()
Is there a way to retrieve all access rules from a specific Role?
As roles are just flagged at the top of an action or on top of the whole class I canĀ“t find a way to retrieve this information unless I read and parse the whole file and after that find a way to link this [authorization] tag to a group.
Thanks
No there is no builtin way. Its even impossible, because you might check for Roles in your code (actions/views) as well.
And how should the list of access rules be returned?
For example, how should an algorithm return / name this access rule in a view:
#if(User.IsInRole("SomeRole") {
<div>
Show some html only visible for users in SomeRole
</div>
}
You have to administer the list of your application defined access rules by yourself - i list will be very specific for your app.
Of cause, when you just use the Authorize attribute, you could generate a list of action methods accessible for a given role by reflecting over all controller classes.
I was looking for a data level Authorization filter in my ASP.Net MVC 4 Application.
We are using Entity Framework for Data access.
The application need to display all the data but should restrict the access to certain fields in a table based on the user roles.
eg: TASK table
{
int Id,
string TaskName,
DateTime StartDate,
DateTime EndDate
}
This whole data will be displayed to all the users and users have the options to edit the fields also. But should restrict the edit options like as follows
Role Admin can edit all the fields
Role Manager can Edit TaskName but cannot edit StartDate and EndDate
Role Users cannot Edit any of the fields
All these edit will be calling the Edit action in the TaskController.
How can I implement the functionality in my application.
You might try Postsharp. PostSharp allows you to design custom attributes for injecting boilerplate code at compile-time. It should be possible to use it for scenarios such as your example. I've used it for exception handling, logging, caching, & security. It can be applied to any layer or framework.
See, "Securing Fields and Properties" in the following illustrated example:
http://www.sharpcrafters.com/solutions/authorization
Hope it helps.
This is not EF, another ORM, but might help to see how it can be done - full source code is here.
Autorization subsystem is explained here.
It does what you need - row-level, up-to-column granularity, role-based authorization.
Sounds like what you are after is a true 'business' object that is smart and contains authorization at the property level not just at the method level. I would suggest using CSLA.NET and create your business object model with smart objects. This gives you that feature as well as a bunch of others.
This whole data will be displayed to all the users and users have the options to edit the fields also. But should restrict the edit options
Instead of a single Edit action in Task controller
create a specific action for each unique field set allowed to be edited
Edit(TaskName, StartDate, EndDate) for Admin
Edit(TaskName) for Manager
no Edit action for User, since ther are not allowed to change any fields
use authorization per action
I am using ASP.NET MVC to build a site. I am using VB as programming language.I have couple of questions.
1 I have created a role "Manager". How Do I check if a user belongs to this particular role?
For now I am using
If My.User.IsInRole("Manager") Then
'Direct to a view
Else
'Direct to another view
End If
Is this the right way?
2 How to use the Authorize attribute to limit access to a Function?
I know in C# it goes [Authorize (Roles ="Manager")] but not sure in VB.
Also can I define property to redirect a user who does not have "Manager" role to a particular view when trying to access this function .
Thanks in advance.
in vb it would be:
<Authorize(Roles := "Manager")> _