Geek Answers Handbook

ASP.NET Authorize Attribute and Administrator User Role

Using the Authorize attribute, I can specify the roles that are allowed access to resources.

 [Authorize(Roles="User")]

But if I have an admin user who is allowed to go to any resource, I also need to specify this

 [Authorize(Roles="User, Administrator")]

But maybe there is some way, can I somehow say that the Administrator is allowed to go anywhere and not specify it in the Authorize attribute?

So, I mean that if somewhere in the code ( on the controller or in action ) [Authorize(Roles="User")] is specified, this means that the administrator role will also be available there.

Or maybe I can install it for all authorize roles dynamically, like when I launch the application?

Any ideas?

UPDATED:

I currently have one admin controller with the Authorize [Authorize(Role="Administrator")] attribute, and I have some actions in some other controllers with the [Authorize(Role="User")] attributes, so I will need to add "Administrator" there if I have not found a better solution.

+8
authorization asp.net-mvc-3
source share
5 answers

I think this will work for you. Create your own base controller using AuthorizeAttribute, and then make your other controllers inherit your base class.

 [Authorize(Roles="Admin")] public class MyFancyController : Controller { } [Authorize(Roles = "TaxPayer")] public class WizardController : MyFancyController { ...

It's scary though, in my opinion.

How many controllers / actions do you have? What if you forget about this later and maybe you have a page on which you do not want admins to have access?

Would it be harder to debug the code?

+2
source share
 [Authorize(Roles = "User, Admin")] public class PrestamosController : Controller { // controller details }
+2
source share

You can create your own filter and use it to decorate your actions or controllers. This is a simple structure that I used quite a lot:

 public class AuthorizationAttribute : ActionFilterAttribute { public override void OnActionExecuting(ActionExecutingContext filterContext) { if (!filterContext.HttpContext.User.Identity.IsAuthenticated) { filterContext.Result = new HttpUnauthorizedResult(); return; } var actionName = filterContext.ActionDescriptor.ActionName; var controllerName = filterContext.Controller.GetType().Name; bool isAuthorized =false; // Put your logic here !!!! if (!isAuthorized) { filterContext.Result = new HttpUnauthorizedResult(); return; } } }

You can read more here

+1
source share

This is what I am doing: make sure that users who are in the "Admin" role are also in the "User" role.

0
source share

You need the concept of Static Role and Execution Role . Here is a simple example:

List of roles and their levels:

  • Role: Admin | Level: 1
  • Role: Editor | Level 2
  • Role: viewer | Level: 3

Users and their static role (a static role is the role that you assigned to users):

  • User: John | Role: admin
  • User: Sam | Role: Editor
  • User: Peter | Role: View

At run time, you create a Runtime Role using static roles and role levels; users with a higher role level automatically get roles at lower levels. Thus, after calculating the runtime roles for these users will be:

  • User: John | Role: Administrator, Editor, Viewer
  • User: Sam | Role: editor, viewer
  • User: Peter | Role: View

And then you can just use [Authorize (Roles = "Viewer")], users with a higher permission level (for example, John, Sam) can access it. Because they must also have a Viewer role at runtime.

The point of using the role of the static role and runtime is that the static role simplifies the role assignment. And the role of runtime will facilitate authorization of resources.

0
source share

More articles:


All Articles