I have my own class AuthorizeAttribute created to handle granular authorization in my MVC4 application.
This is the class:
[AttributeUsage(AttributeTargets.Method, AllowMultiple = true)] public class isAuthorized : AuthorizeAttribute { public oRoles enRole; protected override bool AuthorizeCore(HttpContextBase httpContext) { var authorized = base.AuthorizeCore(httpContext); string test = enRole.ToString(); if (!authorized) {
I have the following listing declared to resolve code:
public enum oRoles { StudentSelfPassword = 1, StaffSelfPassword = 2, StudentLookup = 3, StudentChangeRequest = 4, StudentAdmin = 5, StaffLookup = 6, StaffChangeRequest = 7, StaffAdmin = 8, ChangeQueueApproval = 9 }
In my controller, I call AuthorizeAttribute:
[isAuthorized(enRole = oRoles.StudentLookup)] [isAuthorized(enRole = oRoles.StaffLookup)] [isAuthorized(enRole = oRoles.StudentChangeRequest)] [isAuthorized(enRole = oRoles.StaffChangeRequest)]
When I run it through the debugger, the first one starts autostart and returns true (as it should), and the second goes to assembler, where it returns false, and then immediately asks me for authentication. I expected this to allow, because the first condition was true. However, it seems my assumption was wrong.
Initially, I had Roles = "change, admin", which were groups in the domain, and it worked, but the groups had to be dynamic in their purpose, and not static. There I was able to click a few elements. Is it because it is sent as a string?
Is there a way to essentially do anAuthorized (...) || isAuthorized (...) || isAuthorized (...), so if one condition is true, is it checked as ok?