0

I am trying to find the best way to structure my security roles in ASP.NET MVC.

Basically the Roles are static (Administrator, Client, Technician) but what they can do in each section is configurable, Add/Edit/Delete/View.

For example you are able to configure a Client's security to specific areas like User Accounts.

A user can be a combination of any roles, so it is possible to be a Client and a Technician and have the combined privlages of both users.

What would be a suitable way to go about doing this in ASP.NET MVC?

George Stocker
  • 57,289
  • 29
  • 176
  • 237
Trent Stewart
  • 841
  • 1
  • 9
  • 18
  • MVC is a design pattern; ASP.NET MVC is a framework that uses that design pattern. – George Stocker Aug 05 '13 at 12:12
  • You want the AuthorizeAttribute, you add it to your controller methods. Assuming you are using .NET MVC of course. http://stackoverflow.com/questions/10848086/authorize-attribute-in-asp-net-mvc – Louis Ricci Aug 05 '13 at 12:16
  • possible duplicate of [ASP.NET MVC Roles and Security](http://stackoverflow.com/questions/15802503/asp-net-mvc-roles-and-security) – Amit Aug 06 '13 at 05:29

3 Answers3

1

I would provide you this resolution:

  • Data Base

    1. Users ([PK]Id, Name, etc.)
    2. Roles ([PK]Id, Name, Description, etc.)
    3. UserRoles ([PK]UserId, [PK] RoleId)

Users table stores information about users, like their names, emails, etc. Roles stores information about rolesm like its name, description, etc. UserRoles is just look-up table which you can use to tie specific user to specific role.

  • Code

In order to let your code to work with these tables, you can add your custom role provider where you will have enough facility with 2 methods that will be: public override string[] GetRolesForUser(string username) and public override bool IsUserInRole(string username, string roleName).

  • Usage

When you'll complete, you simply can use Authorize attributes [Authorize(Roles = "Administrators")] to check if user has access to specific action or controller or you can use Razor verification in order to show/hide some html based on users role @User.IsInRole("Administrator")

Please check following links for more info

Community
  • 1
  • 1
Val
  • 529
  • 4
  • 13
  • Thanks but as each area is dynamic about who can add/delete/edit/view what, there might be a problem with hard coding the user group. Wouldn't I be better off using [ClaimsAuthorize("View", "User")] Then checking the users roles to see if any of them alow for viewing a user? – Trent Stewart Aug 05 '13 at 20:14
  • Looks like I don't understand your aim. As I understand you want to provide a specific functionality (e.g. ability to delete some items from list) based on Role(s) user has(ve). In this case I would suggest to show 'Delete' control only for specific Roles with help of Razor syntax. Please clarify your aim for me. Thanks. – Val Aug 05 '13 at 20:39
1

This is how we did it

public enum YourUserRoles
{
    None = 0,
    Admin = 1,
    Consumer = 2
}

public class YourAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
    private readonly YourUserRoles[] _acceptedRoles;

    public YourAuthorizeAttribute(params VoicelrUserRoles[] acceptedroles)
    {
        _acceptedRoles = acceptedroles;
    }

    public YourAuthorizeAttribute(params bool[] allowAll)
    {
        if (allowAll[0])
            _acceptedRoles = new[] { VoicelrUserRoles.Admin, VoicelrUserRoles.Consumer };
    }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (SessionHelper.UserInSession == null)//user not logged in
        {
            string retUrl = filterContext.HttpContext.Request.RawUrl;
            FormsAuthentication.SignOut();
            filterContext.Result =
                 new RedirectToRouteResult(new System.Web.Routing.RouteValueDictionary {{ "controller", "home" },
                                             { "action", "index" },
                                             { "returnUrl",    retUrl } });//send the user to login page with return url
            return;
        }
        if (!_acceptedRoles.Any(acceptedRole => SessionHelper.UserInSession.Roles.Any(currentRole => acceptedRole == currentRole)))
        {
            filterContext.Result = new ViewResult
            {
                ViewName = "~/Views/Shared/Error.cshtml"
            };
        }
    }
}

[YourAuthorize(YourUserRoles.Client )]
public ActionResult Whatever()
{
  ....
}
Satpal
  • 132,252
  • 13
  • 159
  • 168
0
  1. Initially you can check the user exist in how many roles?
  2. Create a view to show the Roles and write the message "please select a role to proceed "
  3. After choose the user type proceed the user as the selection.
Pradeep Kumar Das
  • 875
  • 9
  • 19