Just starting out with ASP.NET MVC. I'm working on a customer portal for our (FogBugz) helpdesk system. I understand that decorating my ActionResults with [Authorize] will require that the user is logged in, but what I'm not sure on is how best to ensure that a user can only access their own calls.
Once a user is authorised I can get their username from the User object, so should I be passing that from my controllers into the business layer and authorizing there, or is there a better way to do this (like a custom AuthorizeAttribute)?
i think you should read this article below. it maybe help you to find the right way.
Rick Anderson # MSDN Blog.
or
How do i create a custom AuthorizeAttribute that is specific to the the area, controller or action?
Related
I have been searching and haven't got luck, I got a tutorial to use the loginview control in order to display or hide parts of the views to different user roles in my application. The thing is that the tutorial I've found is for ASP.NET and I've been told by one of my colleages that it is the same framework for ASP.NET MVC but the way to use it is different. Have you got any good tutorial to recommend?
EDIT: I've got all my application set up, and the login and the roles already configured (via asp.net membership provider). This is all already running. The thing is that if I have role a and role b I want role a to be able to actually see the links to the actions it is authorized to work with, and not b for example. If in the Index of my application I've got a link to "Edit" and only the role a can access to the action, then it will be displayed just for logged in users that belong to role a, and not to those who belong to role b
Thank you,
Vikitor
Try this:
http://www.a2zdotnet.com/View.aspx?id=77
And remember to use [Authorize] attribute on your contoller Actions to prevent users accessing sensitive views.
in asp.net MVC architecture,
can i write AuthorizeAttribute on the method of model class?
i am trying to do this but its not working.
please let me know how can i do this..?
No, you can apply authorization to controller's actions only.
You should check there if the user can access the actions performed on the model and then do it. Putting authorization on the model is not good, because the same model may be used in different actions, and the user may be authorized to some, and denied some other.
Say that you have a controller named Buildings and that every user in the system have a set of buildings that he/she administrates. If you have an Edit-action in your controller that you can access with /Buildings/Edit/{id} is there a nice and simple way to implement some kind of authorization attribute that only allows access to this site if the id you are trying to edit is a part of the logged in users set of buildings. Or do you have to handle this yourself in your controller?
regards
Freddy
You can use ActionFilterAttribute.
Check out this SO too
Check this post: asp.net mvc attributes actionfilterattribute and why you might want to use them
Sure you can, you can derive from the Authorize attribute to define your own authorization for an action method. There's an example of using it in this blog post.
I'm having a huge problem in understanding Membership with MVC. We have in our project controllers named "Admin" and "SuperAdmin" and they are restricted to some users.
Do I have to use the Authorize Roles attribute on each Action or can I use a ActionFilter to check if an user can view a certain page?
And if I have to user Roles attribute, do I have to configure each user on the ASP.NET Configuration tool? For example, "SuperAdmin" will be only a few users (around 3 at top), making easy to use ASP.NET Configuration tool and tells it who these users are. But "Admin" users will be many more... how can I configure them?
I'm totally lost!
I need a great clarifying on that!
Thanks a lot!!!
You can apply the AuthorizeAttribute to controllers as well as actions. If you apply it to the controller, each method will have its access restricted with respect to the attribute. You can also apply another instance of the attribute to individual actions to further restrict access if necessary based on other roles. You will need to put the individual users in their roles for them to have access to role-controlled controllers/actions.
At what point should I be checking for my cookie in my mvc app? Basically what I wish to do for each request is check to see if there is a cookie and if so show their name on the screen somewhere if not and the page requires the user to be logged in redirect them to a login page.
I DON'T want to use FormsAuthentication as I wish to create and use my own IPrinciple object I 'm just not sure whether I should be setting these in a base controller class or creating my own Authorize attribute and doing the checks in there.
My initial thoughts are that I should be doing this in the base controller class as this is similar to the base page in webforms where I override oninit.
Do not attempt to do authentication in a base controller class. In a situation where an action result is cached, your action will not run at all, and no controller will ever be instantiated. Therefore, authentication done inside the controller is broken by design.
The correct way to customize authentication, for many reasons, is to create a custom authentication provider. I've explained the reasons why and given links to simple examples of how to do this in the post linked above.
In short, using this method:
Has the right level of modularity
Works with caching
Works with regular ASP.NET, as well as with MVC