9

I have built a MVC website on IIS6. I used the built-in ASP.NET Security without Membership, just the way it was implemented in the template solution. It is easy to secure a contoller or action, but now I need to expose the user management to an admin logged into the site. I understand that the builtin ASP controls for doing this are not "best practice" and are a dog to get working. So what is the best practice for offering user management through a ASP.NET MVC application?

I considered using the Entity Framework and wireing it up to the myriad of stored procs. but that seems awkward. I see options for AccountMembershipService and FormsAuthenticationService. That is what the existing project account controller uses. But, I am not fimilliar with either.

I can't help but think that this should have already been there from the project template. This is a fundamental part of any website and you were given 15%, why not the rest?

DrydenMaker
  • 354
  • 2
  • 17
  • Which version of IIS will you be using? I'm pretty sure IIS 7 has something in built for user management. – Perhentian Jul 24 '09 at 11:52
  • 1
    Perhaps you should just update your question instead of posting a lot of comments, makes it more readable for the people trying to answer your question :) – Peter Jul 27 '09 at 10:25

5 Answers5

1

As far as I can tell, you are using SqlMembershipProvider as your Membership Provider implementation. I would strongly suggest that you have a look at some of the methods of MembershipUser and MembershipProvider classes (such as CreateUser, etc) to achieve what you are trying to do instead of working with the underlying database tables used for the implementation.

You can also have a look at this article for an in depth intro to ASP.NET's Membership, Roles, and Profile providers.

paracycle
  • 7,665
  • 1
  • 30
  • 34
  • that sounds like the area where I went a little. Thanks for the article. I think the MVC only uses a portion of this functionality though, and I want to avoid using the whole Membership mechanisum. But maybe that is a bad idea, we will see. – DrydenMaker Jul 27 '09 at 14:26
  • I also wanted to note that I have been avoiding tutorials like this because they dont realy fit with the MVC. Good article though, I clarifies some things for me. – DrydenMaker Jul 27 '09 at 19:17
  • I do realize that the tutorial doesn't fit with the MVC mindset but it gives you the basics of handling Membership, Role and Profile objects which you can use to build your MVC project. I do realize that it is a PITA to not have a starter kit for Membership Administration bundled with ASP.NET MVC. However, given the development history, I guess the fact that the [Authorize] filter even exists out-of-the-box was because it was trivial to implement for the MVC team. So, I guess you should rely on the default MVC template more as a demo than a starting point. – paracycle Jul 28 '09 at 15:26
1

Check out this project at CodePlex: ASP.Net MVC Membership Starter Kit

Eduardo Molteni
  • 38,786
  • 23
  • 141
  • 206
  • Someone will care to comment why was downvoted? AFAIK this project allows you to edit Membership users and roles within MVC. (If it is really wrong I will delete the answer) – Eduardo Molteni Jul 27 '09 at 11:27
  • I dont know why it was voted down, but is this an offical part of the MVC? It seems like how it should have been done, that is in more of a complete manner. – DrydenMaker Jul 27 '09 at 14:28
  • I do see one reason, I think the ASP.Net MVC Membership Starter Kit is written in C#, whereas I am using VB2k8. – DrydenMaker Jul 27 '09 at 14:41
  • It is not official, just an open source project to tackle a common problem in the current MVC implementation. As for the VB.net part, I'm a VBer also, but almost all open source are in C#, translating it or using it as a separate project or taking it as a reference is not dificult. – Eduardo Molteni Jul 27 '09 at 16:50
0

I don't know about "best practice" but this is how I would do it (and how it is sort of written in "Professional ASP.NET MVC 1.0"):

You should have a custom (or the default) ProfileProvider and MembershipProvider in place for this to work.

Create a controller which handles all the member management actions eg. MemberAdminController

This controller should have the Authorize[Roles="Administrator"] attribute specified so all actions in this controller will only be handled if the user is in the Administrator role.

Now you can build the CRUD views and actions how you would like using only this controller.

Peter
  • 14,221
  • 15
  • 70
  • 110
  • That is the direction I am going in. I think the project template is a travisty since it allows for signup and everything BUT exposing the administration. It is a sure fire way to get alot of poor applications out there. – DrydenMaker Jul 27 '09 at 14:31
  • It all depends on how you implement your authentication. I don't think it's a travisty, the asp.net mvc framework gives the developer a lot more responsibility because a lot of things aren't handled in a default way which webforms did. If you don't require authentication for the rest of your site, simply don't give it to them. You always have to expose a public login form to access your admin... this is no different from webforms. – Peter Jul 29 '09 at 09:22
0

I have user auth working in a somewhat sane manner now. The biggest hurdle to get over is that it IS ok to use the Membership classes, even though I am not using the Profile aspect of membership. It is easy to get the user name and do Membership.GetUser(UserName). Then you can do many things like Unlock, Approve/Disapprove, change the password and change password question/answer... all the basics I need.

Here are the basics:

'get current logged in user
Dim currentUser As MembershipUser = Membership.GetUser()

'get current logged in user name
Dim userName = currentUser.UserName

'get current user email
Dim userEmail = currentUser.Email

'get a user to edit
Dim editingUser = Membership.GetUser(UserName)

'set the user email
editingUser.Email = newEmail
Membership.UpdateUser(editingUser)

‘unlock user
editingUser.UnlockUser() 

‘disapprove user
editingUser.IsApproved = False
Membership.UpdateUser(editingUser) 

‘approve user
editingUser.IsApproved = True
Membership.UpdateUser(editingUser)

‘change pw
editingUser.ChangePassword(oldPw, newPw)

and that is mostly all there is too it

DrydenMaker
  • 354
  • 2
  • 17
0

In MvcCms we used the RoleProvider out of the box but converted the membership provider over to entity.

http://mvccms.codeplex.com/SourceControl/changeset/view/56727#994414

MvcCmsJon
  • 609
  • 7
  • 12