0

I currently have a custom attribute that is put on both my admin controller and home controller. The custom attribute will first go to active directory to check if the user is in a particular AD that gives them admin privilege to the whole application. If the user is not in the AD group the custom attribute will then look in the security table to see if they have a security record that can either give them admin rights, Add record rights, Delete record rights, and/or Update records rights.

I am setting up a current user during the execution of the attribute and adding it to the HttpContext.Current.Session. On the whole page loading I am making ajax calls to load data on each section of my page and the security can not be accessed in the ajax call. I want to hide and show the different buttons (Add, Remove, Edit and Delete) by the permission they have.

I have read I can use the attribute 

 [WebMethod(EnableSession = true)]

on my method which works but I do not think this is best practice and I know this slows down performance quite a bit. I also read this is used more for Web API not an MVC application. Is there a better way to access Session data in HttpContext during an ajax call?

Juan
  • 147
  • 1
  • 1
  • 10

1 Answers1

0

If it is just about show/hide logic, why don't you just do that in Razor views(you can access Session from there), something like below:

@{
    var user = (MyUser)Session["Current_User"];
    // MyUser can have IsInRole method for security checking
} 
<section class="view-body">
    @if (user.IsInRole("ServiceOrder_Create") || user.IsInRole("ServiceOrder_Assign"))
    {
        <input type="button" id="edit_btn" />
    }
    @if (user.IsInRole("ServiceOrder_Delete"))
    {
        <input type="button" id="delete_btn" />
    }
</section>

Of course, we have to check user's permissions again in Web API methods. Web API is stateless by default, which means we can't access Session directly, but there's a trick helps us to enable Session here Enable session in Web Api 2

Community
  • 1
  • 1
phnkha
  • 7,782
  • 2
  • 24
  • 31
  • We are not using the authorization out of the box. We are using a custom attribute. User.IsInRole will not work for our solution. – Juan Oct 05 '15 at 16:37
  • 1
    It's just an example, anyway I edited my answer, pls check again for a clearer understanding – phnkha Oct 05 '15 at 16:54
  • 1
    Ugh. Why even bother using Web Api, if you're going to do something like enable sessions. The whole point of Web Api is to create a true, REST-complain API. Otherwise, you can always just create endpoints in MVC and do whatever you like. – Chris Pratt Oct 05 '15 at 17:20
  • @ChrisPratt totally agree :) – phnkha Oct 05 '15 at 17:34
  • Do you guys have another solution I can try? We don't want to use Web API. We also do not want to go back to Active directory and the database for each one of the buttons either. – Juan Oct 05 '15 at 18:08