I have a super simple ASP.NET MVC application that uses RpxNow (OpenID) to allow users to login. I now want to let users edit their own account and provide administrator access to edit anyone's account.
I have two separate "Edit Account" views:
~/account/edit/
~/account/edit/1
The first loads the account details based on the logged in user. The second loads the account details using the supplied AccountId. The first would be for standard users, and the second for an administrator.
Firstly I need to define the roles (User, Admin) and then I need to assign a user account (or multiple) to that role.
Then I need to check the role in the controller. I like this concept:
http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/
So, down to the questions:
Is there a simple way to define a list of roles in the web.config?
Is there a simple way to define which users are in which roles in the web.config?
Is there a way to do this WITHOUT using Membership / Role providers?
Am I approaching this from the wrong perspective? Should I be partioning the application into two branches and securing them based on folder authorisation?
I'm not a friend of storing authorization data in web.config. I prefer storing it in database or other xml files.
Have a look at Xml Membership / Role Provider. This uses Membership / Role for reading userdata but it shows a way storing and reading user authorization data from xml files.
Braching the application woulded move the issue and not solve.
Remember that the entire permissions plumbing still really revolves around IPrincipals, the Role/Membership providers are just window dressing to allow most applications to not have to write that plumbing code. In this case, you could easily add a database-backed (or just static if the list is short enough) list of roles and a list of users in roles and query that. Wrap it up behind a custom IPrincipal and stuff that puppy in there at the appropriate place and you are golden.
Related
Perhaps I've misunderstood the concept of Roles in ASP.NET Identity and the database model, but I'm struggling to wrap my head around how to implement the following scenario: With ASP.NET Identity, it seems a User has permissions globally based on a Role, as opposed to permissions on a more granular level. I'm trying to implement a DB Schema in EF6 with Code-First where a User can be a member of several Groups. Instead of having a global Role however, I want the User to have one role in one Group, and a different Role in another.
For example, a User can create a Group, and therefore be the Group Admin, but could also be a Teacher in the Group and therefore be able to contribute Content. The same User could also be a Student in a different Group, and have different permissions in that Group as a result. Users can perform multiple Roles in a given Group, and their permissions should be based on their Role(s) within that Group.
From what I can see this isn't the intended structure for ASP.NET Identity, as I can't see how to limit the scope of a specific Role to a Group. Also, ideally I'd like to be able to assign a User to a Group, and then assign a Group of Users to another group, so for example I have a Group of Users and I assign that Group to a specific Role within another Group.
What I have in mind is a Membership table that has UserId, GroupId and RoleId to deal with mapping the Roles to specific Groups, but how would I extend that to have Roles inherited from Groups, and would I be able to leverage ASP.NET Identity to help me manage these Roles or do I have to cook my own solution up from scratch?
Take a look at this if you haven't already found it and you're working with MVC.
http://typecastexception.com/post/2014/08/10/ASPNET-Identity-20-Implementing-Group-Based-Permissions-Management.aspx
I've been working on the same same issue as you recently. This covers a lot of the requirements but there is a gap - ASP.NET Identity doesn't differentiate between authorization and authentication. In all cases, a user that does not have the required permission gets sent to the login screen. That's fine if they're not logged in, but not if they are logged in and trying to access something that they have no permission for. That is probably address here, but I haven't had time to test it yet.
How to make Authorize attribute return custom 403 error page instead of redirecting to the Logon page
Let's say I have a ASP.NET MVC 4 application. I need to provide different privileges on different pages for same users. For example, The same user could be an administrator on one page and a guest on another. MVC by default provides system wide user privileges.
I dug up some information that I should use custom membership providers to achieve my goal, but am not yet sure about this.
Can someone suggest a solution?
The roles should behave the same on the same type of pages. Let's say that a topic's content, on a forum, could be edited only by the person who created it or by a moderator. Yet the user will not be able to edit someone else's topic and the moderator will not be able to edit a topic that is not a part of his topic subject group. The role system in my application should behave similarly.
You don't necessarily have to create a custom membership provider, but you are going to have to think about permissions differently.
To start, replace the word "Role" with "Operation" in your head.
You need to create atomic, fine grained permissions in your application such as:
UserPropertiesView
UserPropertiesModify
CreateUser
DeleteUser
RolesView
RolesModify
CreateRole
DeleteRole
It might be difficult at first, but this gives you great control and flexibility over assigning operations to individual users. Since different pages will have different operations, you will be able to customize their access.
Unfortunately, the out of the box ASP.Net membership and role providers all work off the concept of a course grained Role. So long as you know they are Operations, and not roles, you will be good.
Abstractions are your friend here:
public static class Permissions
{
public static bool Operation(string op)
{
//this class can be a lot better
// it can be testable, and check
// error conditions, but this is
// only an example :)
return HttpContext.Current.User.IsInRole(op);
}
}
Somewhere you will want to group all these operations up into Roles, but that will require some custom programming on your part.
Custom Providers really aren't that scary, and you can extend the built in ones easily.
Custom Role Provider
Custom Membership Provider
I am learning ASP.NET MVC 3 and trying to create a web application where users can upload some data and manage it.
Here is my problem:
I need to associate users to data in my database therefore I need users to have unique ids. However, users need to be able to log in from multiple membership providers (sql and ldap). So I can't assume their ProviderUserKey is unique nor can I assume what type it is.
What I need is some way to merge the users provided by the different membership providers into one user class that has unique user ids usable in my database. Can anyone give me some pointers on how to do this?
I am new to ASP.NET MVC 3 framework, so I don't know if something like this already exist or not.
E: I want the business logic to be oblivious to how the user logged in. It shouldn't matter to it.
Their ldap email address could provide a good unique identifier, I have used this in a similar situation.
Being fairly new to the MVC Framework, I am trying to establish a custom Membership provider which can support the concept of Groups or departments.
I need to assign each user to belong to one (and only one) of several groups - each group (and its members) can only view records which belong to it - identified by the GroupId.
I need to somehow store this groupid within the users profile so that when they are logged in and call (for example) the Index method on the controller, the groupid is passed which will then filter the records which the user can see.
I am sure it is a straightforward approach, but I seem to have a mental block with it.
Any insight will be helpful ( and probably embarassingly simple!)
Roger
I wonder if you could use "roles" instead of "groups". Permissions can be handled easily with roles. Usually, a role is something like admin, manager, superuser, user, guest. But couldn't you use roles for your purposes?
Here's an explanation of using roles in the Membership provider: How To: Use Role Manager in ASP.NET 2.0. You can find lots more by searching for "roles" instead of "groups".
And in case you don't have the Membership source code as a reference, you can download it from this page Microsoft ASP.NET 2.0 Providers: Introduction to see how they code for roles in the basic version.
I want to use an existing user and user group table that the forums use. I would prefer not to have to add any additional tables (other than what the forum already has).
I will be using MS SQL.
The forums are PHP which is why I want the .net site to handle all of the logic. The forum will use its own PHP logic as I will set and remove the cookies.
When the user requests a new password I would want to specify the text in the email.
I would want to set additional cookies when the user logs in (so that they are logged into the forums when they login to the site).
Is it possible to do this with the .net membership provider?
You can implement your own provider, see here. By this way you can choose any db schema you want, use your own password rules etc... It just takes you to overwrite the membership interface. Then you choose to use it in the webconfig, having 100% portability if you will change in the future...
I wouldn't. The membership provider stuff is a leaky abstraction. You have much more flexibility when implementing Users and Groups as fully fledged domain objects.