ASP.NET MVC: Opposite of [Authorise]

Question

The authorize filter allows you to specified group of users that can access a controller or action:

[Authorize(Roles="Administrator")]
public class HomeController : Controller
{
    // code
}

I would like to know if it is possible to, instead, specify a group of users that cannot access a controller or action.

I cannot imagine a scenario where switching from a white list implementation to a black list implementation would make sense. — Spencer Ruport, Sep 04 '09 at 00:13
I don't want my Administrators to access the customer related controllers but I obviously need non-authorised users and Customers to be able to. — ajbeaven, Sep 04 '09 at 00:27
There are many cases where it makes sense, and most authorization systems include support for denial. Consider a scenario where all users have permission to do something except for members of a specific role. — ShadowChaser, Jul 01 '12 at 03:05

score 5 · Accepted Answer · answered Sep 04 '09 at 02:22

I tried creating my own AuthorizationAttribute after twk's suggestion:

public class Restrict : AuthorizeAttribute
{
    private readonly string _role;

    public Restrict(string role)
    {
        _role = role;
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null)
            throw new ArgumentNullException("httpContext");

        if (httpContext.User.IsInRole(_role))
            return false;

        return true;
    }
}

And I use it like this:

[Restrict("Administrator")]
public class HomeController : Controller
{
    // code
}

I'm unsure whether it is correct practice but it does the job.

Does your Restrict attribute accept more than one role at once? — twk, Sep 04 '09 at 15:38

score 1 · Answer 2 · edited May 23 '17 at 10:27

1

You should prepare your own ActionFilter which can implement such a feature. By default there is a rule of deny everything, but allow defined by Authorize action filter (as you already know).

Some inspiration can be found there

edited May 23 '17 at 10:27

Community

1
1

answered Sep 04 '09 at 00:17

twk

3,122
2
26
36

score 1 · Answer 3 · edited May 23 '17 at 12:29

Based on ajbeaven's answer, I managed to extend it to list of Roles instead of one role.

Firstly the Restrict class:

public class Restrict : AuthorizeAttribute {
    private List<string> _roles;
    public string Roles {
        get {
            string roles = "";
            if (_roles != null && _roles.Count > 0) {
                int counter = 0;
                foreach (string role in _roles) {
                    counter++;
                    if (counter == _roles.Count) {
                        roles = role;
                    } else {
                        roles += role + ",";
                    }
                }
            }
            return roles;
        }
        set {
            _roles = new List<string>();
            string[] roles = value.Split(',');
            foreach (string role in roles) {
                _roles.Add(role);
            }
        }
    }

    public Restrict() {
        _roles = new List<string>();
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext) {
        bool result = true;
        if (httpContext == null) {
            throw new ArgumentNullException("httpContext");
        }
        foreach (string role in _roles) {
            if (httpContext.User.IsInRole(role)) {
                result = false;
                break;
            }
        }
        return result;
    }
}

Then add the AppRoles class to make the whole solution reusable:

public static class AppRoles {
    public const string Role1 = "Role1";
    public const string Role2 = "Role2";
}

Usage:

[Authorize]
[Restrict(Roles = AppRoles.Role1 + "," + AppRoles.Role2)]
    public ActionResult Index() {
    return View();
}

score 0 · Answer 4 · edited Mar 04 '20 at 14:31

Simply restrict class:

public class Restrict : AuthorizeAttribute
    {
        public string RestrictedRoles;

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {          
            if (!String.IsNullOrEmpty(RestrictedRoles))
            {
                var roles = RestrictedRoles.Split(',').Select(r => r.Trim());
                foreach (var role in roles)
                {
                    if (httpContext.User.IsInRole(role))
                        return false;
                }
            }

            return true;
        }
    }

Usage

I think you have forgotten to add the usage and explanation of your solution :) — mikus, Mar 04 '20 at 14:32

ASP.NET MVC: Opposite of [Authorise]

4 Answers4

Linked