1

I have a role system where the Admin can create new roles and grant Read, Write, Edit and Delete rights based on the page menu (each page menu has it's own controller) then assign that role to the user.

Users can also have multiple roles but i got that covered. The only problem I am facing is this: since Role assigning can be done dynamically from within the application i can't use the [Authorize(Roles = Role.Admin)] attribute over controller actions.

Instead i was thinking of creating [Read], [Write], [Edit] and [Delete] attributes that i would put over the actions to let me know what that action is for and then allow or deny users to call that action.

Would this be the correct approach? What would i need to have in those custom attributes and how would i allow/deny user to call them? Anyone have any similar experience?

Let's say i have Home and Admin controller and Role1 and Role2 with following rights:

enter image description here

Would something like the above approach works? How do I define custom access for controller actions?

I want to avoid having all the actions in the database and simplify the administration on the site.

In this way administration can be done on R/W/E/D flags on controller level instead of Role1 can all Home/Index, Home/GetRecords etc... action level.

user449689
  • 3,142
  • 4
  • 19
  • 37
azza idz
  • 623
  • 3
  • 13
  • 27
  • is it true to say that anyone who has write access can also read? and that anyone who has edit rights can both read and write? and those who can delete can do all the previous actions? – LiranBo Nov 03 '15 at 14:26
  • 1
    Just create CRUD actions and specify which actions can be executed by which role (by attributes) Or create view structure per role there will be separate web.configs per role configuration. – Teoman shipahi Nov 03 '15 at 14:27
  • @LiranBo Users will get read rights if they have any other flag but Edit and Write are not the same. Write means adding something new, while edit means...well edit of something already existing. – azza idz Nov 03 '15 at 14:45

3 Answers3

1

I have same requirement for my project. In my project I have to allow user to access some pages and some pages to admin. Mostly admin can access everything, but I have to block user to access some pages/Action. I did below thing.

a. Create one class to Authenticate user/admin.

b. Create one class for User and inherited that class from "ActionFilterAttribute", and override the OnActionExecuting method.

c. Create one class for Admin and did samething as mentioned in "b", but for admin.

d. put the Authentication class name above the class name or method depending on access.

see sample code(step b). I removed some code, but you can get the idea.

public class AuthenticateUser : ActionFilterAttribute
    {
        public override void OnActionExecuting(HttpActionContext context)
        {
            //Do session check.
            if (HttpContext.Current.Session["Id"] == null || String.IsNullOrEmpty(HttpContext.Current.Session["Id"].ToString()))
            {
                HttpContext.Current.Response.StatusCode = HttpStatusCode.Forbidden.GetHashCode();
                if (filterContext.HttpContext.Request.IsAjaxRequest())
                {
                    filterContext.Result = new JsonResult { Data = new { Status = HttpStatusCode.Forbidden, LogonRequired = true, result = "Session Expired" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet };
                }
                else
                {
                    //redirect to login page
                    UrlHelper oUrl = new UrlHelper(HttpContext.Current.Request.RequestContext);
                    string s = oUrl.Action("", "UserInfo/");
                    HttpContext.Current.Response.Redirect(s);
                }
            }

            //If usertype is User then allow it. If user type is admin then return redirect.

            //Redirect code if admin
            UrlHelper oUrl = new UrlHelper(HttpContext.Current.Request.RequestContext);
            string s = oUrl.Action("", "UserInfo/");
            HttpContext.Current.Response.Redirect(s);

        }
    }
user449689
  • 3,142
  • 4
  • 19
  • 37
Jigneshk
  • 350
  • 1
  • 7
0

I would define it differently, just give each user a set of roles.

Define each user with more than one role, if someone has access to write, you set a role for him to write, if he can also read you can add another role - read.

Now when you define your actions you can use this format[Authorize(Roles = Role.Read)]. Set each action by the access right it requires and you are done.

LiranBo
  • 2,054
  • 2
  • 23
  • 39
0

Use claims. each public controller action claim that you need to define.

Then have your roles defined by the list of claims/operations they can do.

Here's a great explanation here Role-based access control (RBAC) vs. Claims-based access control (CBAC) in ASP.NET MVC

Community
  • 1
  • 1
Fran
  • 6,440
  • 1
  • 23
  • 35