Say that you have a controller named Buildings and that every user in the system have a set of buildings that he/she administrates. If you have an Edit-action in your controller that you can access with /Buildings/Edit/{id} is there a nice and simple way to implement some kind of authorization attribute that only allows access to this site if the id you are trying to edit is a part of the logged in users set of buildings. Or do you have to handle this yourself in your controller?
regards
Freddy
You can use ActionFilterAttribute.
Check out this SO too
Check this post: asp.net mvc attributes actionfilterattribute and why you might want to use them
Sure you can, you can derive from the Authorize attribute to define your own authorization for an action method. There's an example of using it in this blog post.
Related
I am using MVC 3 and having custom authorization attribute inhering AuthorizeAttribute on my controller. However in one case, I want to access one action from this controller without any authentication on it. Is it possible?
I want to do it wihout making any changes in the controller file as that code is already in production. Is there any way to override from web config.
Yeah you can do that by simply removing Authorize attribute from whole controller class and rather have Authorize attribute on individuals actions wherever you want.
We are developing a website and we have a controller that handles CRUD for a model e.g Country. Only the Administrator is allowed to perform CRUD operations. However we also want the controller to provide a JSON select list of entities to populate a drop-down. This pattern exists through out the application.
This means that we can't use the standard authorization attribute to restrict access to administrators at the entry to the controller. We need to decorate each action with specific authorize attribute.
Is the fact that we need multiple authorization levels on a single controller a bad sign? Does it suggest we are violating SRP?
What is the best pattern to deal with the fact many controllers relate to entities that need to be updatable only by Admin but provide a JSON select list for all authorized users?
Thanks
The only problem with doing this is the Risk that you might forget to protect an action that is supposed to be admin only.
Really the preferred way to approach this problem is to have an admin-only area on your site (using MVC areas).
http://msdn.microsoft.com/en-us/library/ee671793.aspx
http://sankarsan.wordpress.com/2012/04/14/asp-net-mvc-areasa-better-way-to-structure-the-application/
This way the entire www.site.com/admin section would be protected as admin-only.
Just starting out with ASP.NET MVC. I'm working on a customer portal for our (FogBugz) helpdesk system. I understand that decorating my ActionResults with [Authorize] will require that the user is logged in, but what I'm not sure on is how best to ensure that a user can only access their own calls.
Once a user is authorised I can get their username from the User object, so should I be passing that from my controllers into the business layer and authorizing there, or is there a better way to do this (like a custom AuthorizeAttribute)?
i think you should read this article below. it maybe help you to find the right way.
Rick Anderson # MSDN Blog.
or
How do i create a custom AuthorizeAttribute that is specific to the the area, controller or action?
in asp.net MVC architecture,
can i write AuthorizeAttribute on the method of model class?
i am trying to do this but its not working.
please let me know how can i do this..?
No, you can apply authorization to controller's actions only.
You should check there if the user can access the actions performed on the model and then do it. Putting authorization on the model is not good, because the same model may be used in different actions, and the user may be authorized to some, and denied some other.
Just getting started using MVC in ASP.NET, I'm going to have it so users must login to use certain features. Now I have a User controller that stores users in a table and another controller that adds data to another table. Once the user is logged in, how would I get their id from the user table from within the add controller in order to add their id to that table?
I think that to solve your problem from the top down you might want to look into ASP.NET MVC Authentication instead of implementing something like this yourself. That said if you have a great reason for continuing down the path you're taking then I have some suggestions.
Firstly you may wish to consider using the repository pattern to add/remove/get data to and from your database. Any controller can implement any repository it likes so your add controller can just implement the user repository to get the user.
Also, remember that in ASP.NET MVC you can use session variables. If you need to know which user is doing what, then just store it in the session and retrieve it from there.