OK so I've created a new table within the existing aspnetdb.mdf database aspnet_Groups, and added and related a foreign key to the aspnet_Users table GroupId.
So users table now goes:
ApplicationId
UserId
UserName
LoweredUserName
MobileAlias
IsAnonymous
LastActivityDate
GroupId //<--- Added by me, and related to aspnet_Groups table
Groups table only has GroupId and GroupName so it's pretty simple actually.
What I wanna know, is how do I save and get data for this field/table from within MVC application. Or does this have to be done another way?
Edited
I would not recommend intervining into aspnetdb working ...
If you need to - create your own table and link it to aspnetdb.
More control, more customization, less bugs introduced to internal MS authentication...
Great posting about this Storing data in a Custom table within ASPNETDB.mdf vs. storing information about a user in a profile
But again, there's no right answer to your question - as long as it works and having good usability and readability - its fine.
If you can use Roles as your groups - this can do the trick, but if not, I'd define additional table, rather than intervining into prebuilt one. This is my opinion.
Edit 2
There are many ways you can work with aspnetdb. You can even embed it into your own database. Like this: Configuring ASP.NET 2.0 Application Services to use SQL Server 2000 or SQL Server 2005
Answering your particular question: you can access aspentdb via authentication API:
string userName = Membership.GetUserNameByEmail(emailToCheck);
if (userName != null)
or override membershipprovider, roleprovider and securityprovider or even access directly like described here
Membership, Role, and Security
Hope this helps!
Related
Ok I have seeded some roles which can be found in the SQL database in the table AspNetRoles
and the users can be found AspNetUsers.
I have also found a bunch of aspnet_ tables (I think they are old WebForm ones). Within a view I am calling #Roles.GetAllRoles() which is returning no results. the aspnet_Roles table has no records. So it may be checking there. But that seems unlikely as the seeded roles are being created thusly:
var roleManager = new RoleManager<Microsoft.AspNet.Identity.EntityFramework.IdentityRole>(new RoleStore<IdentityRole>(new ApplicationDbContext()));
if (!roleManager.RoleExists("Member"))
roleManager.Create(new IdentityRole("Member"));
Which in my little knowledge of MVC5 would suggest that Roles.GetAllRoles() would return the correct result.
I am using this #model EUWebRole.Models.IdentityManager also tried ApplicationUser with no change in results.
So to the questions:
1) How do I get the list of Roles?
2) If I am using the wrong "tables" how do I set it so that it is using the correct tables?
Any ideas would be greatly appreciated.
You're aspnet_tables are old from either the default MembershipProvider or the SimpleMembershipProvider (either way it doesn't matter they should be removed).
MVC 5 uses Identity 2.0 by default. If you need to do anything with roles you need to use the RoleManager.
I'm having problems getting Google OAuth to work with the default MVC4 Internet Application project template in Visual Studio 2012.
After redirection to Google and subsequently registering a username I'm getting a MembershipCreateUserException thrown on line 276 in the AccountController with the message:
The username supplied is invalid.
The failing line of code is:
OAuthWebSecurity.CreateOrUpdateAccount(provider, providerUserId, model.UserName);
I've checked the database and the UserProfiles table contains the username I enter as expected and I've tried with various combinations of username.
Have I missed something as none of the linked articles within the source code suggest anything else needs configuring?
I think I figured it out. The OAuthWebSecurity.CreateOrUpdateAccount needs to have a user in the Users table.
The thing is, the method will "create" a new record in the webpages_OAuthMembership table, which has a foreign key to the users table.
Thus, in order to make your call work either create a new user first via WebSecurity.CreateAccount or write some manual code to add a user to the table.
I went for the WebSecurity.CreateAccount and used the GeneratePassword method to work around that bit.
Hope it helps.
First i would like to leave my experience here. (asp.net mvc4)
Change the dbcontext for the SimpleMembership provider. Go for Filter folder-> Open InitializeSimpleMembershipAttribute. then do changes like this. So it will includ membership tables in your database.
WebSecurity.InitializeDatabaseConnection("ChangeYourDbContext", "UserProfile", "UserId", "UserName", autoCreateTables: true);
Go for AccontController. Find the UserContext, which is by default using the defaultConnection string. Go for UserContext Declartion (f12).
and override the UserContext Connectionstring to your actualDbcontext
public UsersContext(): base("YourAcutalDbContext")
{
}
I was looking for a data level Authorization filter in my ASP.Net MVC 4 Application.
We are using Entity Framework for Data access.
The application need to display all the data but should restrict the access to certain fields in a table based on the user roles.
eg: TASK table
{
int Id,
string TaskName,
DateTime StartDate,
DateTime EndDate
}
This whole data will be displayed to all the users and users have the options to edit the fields also. But should restrict the edit options like as follows
Role Admin can edit all the fields
Role Manager can Edit TaskName but cannot edit StartDate and EndDate
Role Users cannot Edit any of the fields
All these edit will be calling the Edit action in the TaskController.
How can I implement the functionality in my application.
You might try Postsharp. PostSharp allows you to design custom attributes for injecting boilerplate code at compile-time. It should be possible to use it for scenarios such as your example. I've used it for exception handling, logging, caching, & security. It can be applied to any layer or framework.
See, "Securing Fields and Properties" in the following illustrated example:
http://www.sharpcrafters.com/solutions/authorization
Hope it helps.
This is not EF, another ORM, but might help to see how it can be done - full source code is here.
Autorization subsystem is explained here.
It does what you need - row-level, up-to-column granularity, role-based authorization.
Sounds like what you are after is a true 'business' object that is smart and contains authorization at the property level not just at the method level. I would suggest using CSLA.NET and create your business object model with smart objects. This gives you that feature as well as a bunch of others.
This whole data will be displayed to all the users and users have the options to edit the fields also. But should restrict the edit options
Instead of a single Edit action in Task controller
create a specific action for each unique field set allowed to be edited
Edit(TaskName, StartDate, EndDate) for Admin
Edit(TaskName) for Manager
no Edit action for User, since ther are not allowed to change any fields
use authorization per action
I'm using NerdDinner as a guide for my first MVC/LINQ to SQL project. It discusses the use of the ViewModel pattern when a View needs data from multiple sources - in their example: Dinners and Countries (serves as the drop down list).
In my application, the problem is a bit different. It's not so much different data, rather data linked via a key constraint. I have a Story table that links to aspnet_users via the UserId key. I would like to have easy access to the UserName for each story.
Since I'm using the repository pattern and returning IQueryable in some cases for deferred execution, I'm struggling with the correct way to shape the data. So I'm using this VideModel pattern right now to make it work but not sure if it's the right way.
Instead of returing IQueryable Story (which wouldn't work since I need the UserName), I'm returning a new custom class UserStory, which has a Story property and a string Username property.
What are your thoughts?
It seems like your question has less to do with MVC as it is simply a question about how to access the story data based on the username string.
Would it be possible to create a view in your database with all the UserStory data, the username, along with userid in it? That way, you could select from the view based on the username you have.
To create the view, you would simply have to do a join between the user table and the userstory table based on the userid.
After that, you could still use the repository pattern with the IQueryable being returned.
If you are wanting to do updates, it would be simple to do since you still have the userid, and would be able to link back to the actual table which would need the update.
If you look at Kigg, you will see that they mess about with the initial model to create custom ViewModels. That's the thing that NerdDinner doesn't cover in any detail. You could create a StoriesWithUserName class that inherits from Stories, but adds a new property - UserName. Then you return that to your View which would inherit from IEnumerable<StoriesWithUserName>
[EDIT]
Oops. Didn't spot that you already did this :o)
Using the repository pattern and returning an IQueryable of Stories is fine. The relationship allows you to access the the username value something like this >>
Assuming you are returning the IQueryable in your model object:
foreach(Story story in Model.Stories)
{
// do something with the value
response.write(story.aspnet_user.UserName);
};
Your Repository method would look like this:
public List<Stories> GetStories(Guid UserId)
{
return datacontext.Stories.Where(u => u.UserId = UserId).ToList();
}
The relationship will automatically provide you with access to the UserName value in the foreach loop i first mentioned. nothing more is required.
I'm not sure why your pagination control failed on Count() though??
Hope this helps
Let's say I have a Web application implemented like a set of wizard pages to edit a complex object. Until the user clicks on the "Finish" button, the object doesn't get saved to the back-end system (a requirement), so in the meantime I have to keep the whole information about the object in some kind of a session state.
Also, some of the wizard pages have to show combo and list boxes with potentially large number of items. These items are fetched from the back-end system using a Web service.
Coincidentally, the wizard allows the user to freely jump from one wizard page to any other (using tab links on top of the form), so it's not a simple "next, next... finish" thing.
Additional constraint: the Web application runs on a Web farm and the customer is weary of using server-side session state. In the best case they want to keep the size of the session state minimal (they had problems with this in the past).
So basically there are two problems here:
How/where to keep data entered by the user in the Wizard?
Whether to cache the combo/list items received from the back-end and if so, where?
Options I'm considering:
Storing the object in a WebForms-like ViewState (by serializing it into the HTML page). This would also include the combo box items. Obviously, there could be a problem with HTML pages becoming very large and thus Web application will be slow.
Storing it into server-side session state, regardless of the customer's wishes and without knowing how the performance will be affected until it is tested on the actual Web farm (late in the project).
I cannot decide between the two. Or is there another alternative?
Why cache at all? You could just have the tabbed pages where each page is a div or panel and just display the current div relating to your tab. That way you dont have to keep track and process all the inputs when the user submits the form.
Is it possible to store the wizard data in a temporary table in the database? When the user finishes the wizard the data is copied from the temporary table and deleted. The temporary table includes a timestamp to remove any old uncompleted data.
As Daisy said, it doesn't have to be cached. You could also use hidden form fields. Because these could map to the same object on each controller action, you could progressively build the object through successive pages.
//Here's a class we're going to use
public class Person
{
public int Age {get;set;}
public string Name {get;set;}
public Person()
{
}
}
//Here's the controller
public Controller PersonCreator
{
public ActionResult CreatePerson()
{
//Posting from this page will go to SetPersonAge, as the name will be set in here.
return View();
}
public ActionResult SetPersonAge(Person person)
{
//This should now have the name and age of the person
return View(person);
}
}
//Here is your SetPersonAge, which contains the name in the model already:
<%= Html.Hidden("Name", Model.Name) %>
<%Html.TextBox("Age") %>
And that's pretty much it.
I can suggest a few more options
Having the entire wizard as a single page with the tabs showing and hiding content via javascript on the client-side. This may cause the the initial page to load slower though.
Caching the data at the server using the caching application block (or something similar). This will allow all the users to share a single instance of this data instead of duplicating across all sessions. Now that the data is lighter, you may be able to convince the customer to permit storing in the session.
There is a lot of resistance in the MVC community against using Sessions. Problems are that a lot of us developers are building login systems like a bank website. One could argue for hidden fields and that works for some situations but when we need to time a user out for security and compliance, then you have several options. Cookies are not reliable. Relying on Javascript timers are not reliable and are not 508 compliant as the goal should be to degrade gracefully. Thus for a Login, a Session is a good option. If you write the time to the client browser, to the server database or server file system, you still have to manage the time per user.
Thus use Sessions sparingly, but don't fear them. For the wizards, you technically can serialize hidden fields passing them around. I suspect the need and scope will become much greater and an authorization/authentication implementation with Sessions will be the crux of the application.
If you cannot use ajax (for validation & dropdowns and ability to convert wizard to tabbed page) and cannot use html5 (for dropdown caching and form state saving in local storage), then I think you are pretty out of available "best practices" and you have to resort to bad (or worse) one.
As MVC is opponent of WebForms regarding session usage, maybe you can use a workaround? For example, besides storing all these values in some temporary database records you need to clean up later, you could set up AppFabric extension for Windows Server and use it to store dropdown list items (and scope can be for all users, so if more users are using system at the same time you need only one call to web service to refresh cache), and also to temporary store your objects between steps. You can set your temporary objects in AppFabric to automatically expire so cleanup is not necessary. It can also be of help for speeding up other parts of your system if you extensively call another system over web services.
I've been dealing with the same issue and, while my requirements are a little simpler (keeping state for just a few strings), my solution may work for you. I'd also be interested in hearing others thoughts on this approach.
What I ended up doing is: in the controller I just dump the data I want into the Session property of the Controller and then pull it out next time I need it. Something like this for your situation:
//Here's the controller
public Controller PersonCreator
{
public ActionResult CreatePerson()
{
//get the age out of the session
int age = (int)(Session["age"]);
//do something with it...
return View();
}
public ActionResult SetPersonAge(Person person)
{
//put the age in the session
Session.Add("age", person.Age);
return View(person);
}
}
The thing I like about this is I don't have to put a bunch of hidden params around on my view pages.
The answer to this can be found in Steve Sanderson's ASP.NET MVC 2/3, and requires a reference to the MVC Futures assembly. This link to Google Books is exactly what he does.
In essence, you serialize the wizard data to the View. A hidden field is rendered storing all of the acquired information.
Your controller can work out what to do through the use of the OnActionExecuting and OnResultExecuted (to cater for redirects) to pass it to the next view.
Have a read - he explains it much more thoroughly than I can.