9

I am looking for NuGet package that provides similar functionality as the CanCan gem in rails ( https://github.com/ryanb/cancan ).

Does anyone know a plugin that provides a similar functionality? Or a simple way to implement this?

Thanks

Jesse Wolgamott
  • 40,197
  • 4
  • 83
  • 109
Karan
  • 14,824
  • 24
  • 91
  • 157
  • 1
    Did you ever find a good implementation of activity based authorization? – GraemeMiller Dec 06 '12 at 20:30
  • no, unfortunately I did not. I ended up writing a custom Authorize attribute. Let me know if you find a good implementation of it. – Karan Dec 10 '12 at 15:06

5 Answers5

3

I ended up looking at http://www.develop.com/wifclaimsbasedauthorizationone it does very much as CanCan does.

For example

ClaimsPrincipalPermission.CheckAccess("Customer","Add");

Would check whether the user had permission to add customers.

We are testing http://thinktecture.github.com/Thinktecture.IdentityModel.45/

Basically claims based Authorization for .Net

With MVC5 and One ASP.Net Claims is baked right into the core of .Net

GraemeMiller
  • 11,973
  • 8
  • 57
  • 111
2

After a long long search I found these essays useful:

http://msdn.microsoft.com/en-us/library/ff359101.aspx http://www.codeproject.com/Articles/639458/Claims-Based-Authentication-and-Authorization http://www.codetails.com/punitganshani/using-claims-identity-with-simplemembership-in-asp-net-mvc/20130525
http://leastprivilege.com/
http://www.postsharp.net/aspects/examples/security

UPDATE
latest from Microsoft introduced in 2013 release: http://blogs.msdn.com/b/webdev/archive/2013/06/27/introducing-asp-net-identity-membership-system-for-asp-net-applications.aspx
Samples:
https://stackoverflow.com/a/18751036/316343
https://github.com/rustd/AspnetIdentitySample http://msdn.microsoft.com/en-us/library/hh377151.aspx

I prefer the one used in CodeProject tutorial which is based on frameworks from Thinktecture guys, source code is available at:
https://github.com/brockallen/BrockAllen.MembershipReboot https://github.com/thinktecture/Thinktecture.IdentityModel.45

Just remember that the CodeProject article is outdated from the persistence point of view.
Now MembershipReboot support EntityFramework, MongoDB and RavenDB as data store.

Community
  • 1
  • 1
Jahan Zinedine
  • 14,616
  • 5
  • 46
  • 70
1

Recently, I was searching something about activity based authorization and I found some interesting tutorial, how to implement it: https://mkarczewski.wordpress.com/2013/10/21/activity-based-authorization-in-modular-systems/

I also found this library, and it seems very cool! This is something, I was hoping to find. https://github.com/michelgrootjans/CanI/blob/master/README.md

Rafał Straszewski
  • 960
  • 11
  • 10
0

In .NET you should be using Membership Provider and Authorize attributes.

Jakub Konecki
  • 45,581
  • 7
  • 87
  • 126
  • 2
    I am not the downvoter, but I think the reason this was downvoted was because Membership provides permission on roles, rather than permissions on an activity. Maybe I am wrong, but with Cancan I have had the ability to restrict access to perform a certain action by defining the "ability" to do something on the ability file. Say I have a picture resource and users, and one user would like to *edit* the picture - would I need to put him in an editing role with membership providers? With cancan I can simply add code that says: "User has permission to *edit* a picture resource if he owns it" – Karan Oct 04 '12 at 13:42
  • This kind of logic can be implemented in custom `Authorize` attribute. – Jakub Konecki Oct 04 '12 at 14:52
0

Check out this page in the ASP.NET Core documentation. Its somewhat similar to what cancan does.

You write an Authorization Handler like so:

public class DocumentAuthorizationHandler :
       AuthorizationHandler<OperationAuthorizationRequirement, Document>
   {
       public override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                   OperationAuthorizationRequirement requirement,
                                                   Document resource)
       {
           // Validate the operation using the resource, the identity and
           // the Name property value from the requirement.

           return Task.CompletedTask;
       }
   }

Now you can use the following code in your controllers:

if (await authorizationService.AuthorizeAsync(User, document, Operations.Read))
   {
       return View(document);
   }
   else
   {
       return new ChallengeResult();
   }

or in your views:

@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
   {
       <p><a class="btn btn-default" role="button"
           href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>
   }
Amir Vakili
  • 132
  • 1
  • 8