3

In our MVC app, we're by-passing the RolesProvider in favor of just caching our roles in a cookie that will be passed around. Following several suggestions around the interwebs, we're leveraging the Application_AuthenticateRequest event, like so:

    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        var user = HttpContext.Current.User;
        if (user == null || !user.Identity.IsAuthenticated)
        {
            return;
        }

        // read the roles from the cookie and set a custom generic principal
        var fi = (FormsIdentity)HttpContext.Current.User.Identity;
        var httpCookie = HttpContext.Current.Request.Cookies["Roles"]; // custom cookie set during authentication
        if (httpCookie != null)
        {
            string rolesCookie = httpCookie.Value;
            var pmUserRoles = rolesCookie.Split(',');
            GenericPrincipal gp = new GenericPrincipal(fi, pmUserRoles);
            HttpContext.Current.User = gp;
        }
    }

I'm stepped through that method and threw in a couple conditionals with some of our roles, and immediately after the current User is set, User.IsInRole("rolename") works like a charm.

But then, when trying to make the same call in a view:

@if(Request.IsAuthenticated)
{
    if (User.IsInRole("role1") || User.IsInRole("role2"))
    {
        <!-- show something -->
    }
    else if (User.IsInRole("role3"))
    {
        <!-- show something else -->
    }
}

The roles can't be accessed. When I dig into the User at this point, it looks like the roles don't even exist, right after I confirmed that the User has them at the end of the AuthenticateRequest event.

This question has similar problems, I was going to just comment there but I guess I can't because of my low rep - but it looks like this isn't just an issue with me.

I also looked at this question which has a similar approach, but this is giving me the same result.

Any suggestions or comments on what's going on?

Community
  • 1
  • 1
mshubert12
  • 269
  • 1
  • 4
  • 14
  • 1
    This is not an answer but using conditionals in your views (especially for access rights) is a very bad application design. Views should **always** be dumb. If what you are trying to acheive is a navigation menu, build up a dictionnary list of routes while you are in the controller (with only the menus you should have access to) then put it in your view model. Then you view can just do the display work without worrying about what menu you should see or not. – Pluc Oct 26 '12 at 15:35
  • @Pluc thanks for the tip! I'll look at re-writing that. +1 – mshubert12 Oct 26 '12 at 16:21

2 Answers2

3

I finally found the answer to this, using the Application_OnPostAuthenticateRequest handler instead of Application_AuthenticateRequest.

Courtesy of this answer (which was surprisingly not the accepted one in that thread!). Thanks to Tiago Matias!

Community
  • 1
  • 1
mshubert12
  • 269
  • 1
  • 4
  • 14
1

Try HttpContext.Current.User.IsInRole instead of User.IsInRole.

Ecnalyr
  • 5,792
  • 5
  • 43
  • 89
  • That's not the issue, `IsAuthenticated` is being set to true in our controller. The Razor code is getting into the inner conditional. – mshubert12 Oct 26 '12 at 15:06
  • Nope, those don't work either? :/ If it matters, this is in my _Layout page, not sure if that makes a difference though. – mshubert12 Oct 26 '12 at 15:16
  • Sorry I didn't get back to you quickly enough. Glad you found the answer. – Ecnalyr Oct 27 '12 at 17:47