Geek Answers Handbook

Authorization permission based on .net permissions

I am new to .NET, MVC and Identity Framework. I noticed that the identification system allows you to provide individual actions using annotations.

[Authorize] public ActionResult Edit(int? Id){ //edit action }

I would like to protect certain actions based on user rights.

Example: A blog application that can only be edited by the user who created the blog post.

With this in mind, is it possible to perform any of the following options? If so, are there resources and examples of how best to achieve?

 [Authorize(Entity = "Entry", Permission = "Edit", Id = Id)] public ActionResult Edit(int? Id){ //edit action }

or

 [BlogEntryPermission(Permission = "Edit", Id = Id)] public ActionResult Edit(int? Id){ //edit action }

Id blog posts a request.

The best estimate would be any information or referral based on authorization based on rights. Thanks in advance for your help.

+7
asp.net-mvc asp.net-identity user-permissions
source share
3 answers

You can implement your own AuthorizationAttribute , where you specify your parameters, and you can get blogId from the request

 public class AuthorizeEntryPermission : AuthorizeAttribute { public string Permission { get; set; } public AuthorizeEntryPermission(){ } public AuthorizeEntryPermission(string Permission) { this.Permission = Permission; } protected override bool AuthorizeCore(HttpContextBase httpContext) { var id = context.Request.RequestContext.RouteData.Values["Id"]; //check your permissions } public override void OnAuthorization(AuthorizationContext filterContext) { if (AuthorizeCore(filterContext.HttpContext)) { // ** IMPORTANT ** // Since we're performing authorization at the action level, the authorization code runs // after the output caching module. In the worst case this could allow an authorized user // to cause the page to be cached, then an unauthorized user would later be served the // cached page. We work around this by telling proxies not to cache the sensitive page, // then we hook our custom authorization code into the caching mechanism so that we have // the final say on whether a page should be served from the cache. HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache; cachePolicy.SetProxyMaxAge(new TimeSpan(0)); cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */); } else { //handle no permission } } private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus) { validationStatus = OnCacheAuthorization(new HttpContextWrapper(context)); } }

Then use it as follows:

 [AuthorizeEntryPermission(Permission = "Edit")] public ActionResult Edit(int? Id){ //edit action }
+6
source share

MVC has built-in roles. You can make the roles as granular as you need, which makes them look like permissions. For example, you can create role names, for example:

  • EditBlogPost
  • AddBlogPost
  • ViewBlogPost

You can then install the roles on your controller using the built-in AuthorizeAttribute attribute.

 [Authorize(Roles = "AddBlogPost")] public ActionResult Add(){ //add action } [Authorize(Roles = "AddBlogPost")] [HttpPost] public ActionResult Add(BlogModel model){ //add action } [Authorize(Roles = "EditBlogPost")] public ActionResult Edit(int? Id){ //edit action } [Authorize(Roles = "EditBlogPost")] [HttpPost] public ActionResult Edit(BlogModel model){ //edit action } [Authorize(Roles = "ViewBlogPost")] public ActionResult View(){ //view action }

Then it’s just a matter of assigning different roles to each user in your database.

+1
source share

I hope your problem is resolved so far. But it’s worth adding a new solution. I have implemented the permission-based extension for the Microsoft Identity 2 membership system. This is an open source project and you can access the repository here:

https://github.com/Arminkhodaei/Identity-Permission-Extension

Using:

First approach:

 // GET: /Manage/Index [AuthorizePermission(Name = "Show_Management", Description = "Show the Management Page.")] public async Task<ActionResult> Index(ManageMessageId? message) { //... }

Second approach:

 // GET: /Manage/Users public async Task<ActionResult> Users() { if (await HttpContext.AuthorizePermission(name: "AllUsers_Management", description: "Edit all of the users information.")) { return View(db.GetAllUsers()); } else if (await HttpContext.AuthorizePermission(name: "UnConfirmedUsers_Management", description: "Edit unconfirmed users information.")) { return View(db.GetUnConfirmedUsers()); } else { return View(new List<User>()); } }
+1
source share

More articles:


All Articles