2

I have read hundreds of articles on ASP.NET MVC Authorization attributes and i think i make it difficult than as it should be. I setup a class in ASP.NET identity as below:

public class UserDetails : IdentityUser
{
    public virtual MembershipSerial MembershipSerial { get; set; }
}

public class MembershipSerial
{
    [HiddenInput(DisplayValue=false)]
    public int Id { get; set; }
    [HiddenInput(DisplayValue=false)]
    public string Serial { get; set; }
    [Required]
    [Display(Name="Membership Serial")]
    public string SerialConfirmed { get; set; }
}

public class MyDbContext : IdentityDbContext<UserDetails>
{
    public MyDbContext()
        : base ("EFDbContext")
    {
    }
    public System.Data.Entity.DbSet<MembershipSerial> MembershipSerial { get; set; }
}

I would like to achieve something like below with Authorize Attribute:

[AuthorizeUser(AccessLevels="Has a valid serial key and can place an order")]
public ActionResult PlaceOrder(int ProductID)
{
   // some code...
   return View();
}
[AuthorizeUser(AccessLevels="Has a valid login and can add items to cart")]
public ActionResult AddToCart(int ProductID)
{
   // some code...
   return View();
}
[AuthorizeUser(AccessLevels="Has no login and valid serialkey, anonymous ")]
public ActionResult Anonymous(int ProductID)
{
   // some code...
   return View();
}

Note: The property Serial is added by the system administrator and the property SerialConfirmed will be added by the user. The property SerialConfirmed should be compared to the Serial in the backend if the results where okay then should return true else false.

Is that possible? How?

Nkosi
  • 235,767
  • 35
  • 427
  • 472
Coding Freak
  • 418
  • 1
  • 8
  • 27
  • 1
    The 3rd method just requires the `[AllowAnonymous]` attribute. The other 2 should be doing the checks in the function (and return an error if there is no match) –  Apr 24 '16 at 10:14
  • @StephenMuecke Well yeah the third method as you said i can set it to `AllowAnonymous` but how to do the checks for two other one? Here is a link for a detailed question on [this](http://stackoverflow.com/questions/36814792/how-to-setup-a-custom-authentication-on-asp-net-mvc-identity) – Coding Freak Apr 24 '16 at 10:20
  • 1
    I don't see why you would want a custom `AuthorizeAttribute` - you dont want the user redirected back to the login page again just because they don't have the right permissions. You logic should be inside the function = i.e. call the database to get the current user `MembershipSerial` and check what permissions they have for that method, then either throw an error or let it execute –  Apr 24 '16 at 10:25
  • @StephenMuecke I want the `AuthorizeAttribute` for making all these staff easy, any way can you post this as an answer. How can i check whether the user have a serial or not? – Coding Freak Apr 24 '16 at 10:31
  • Its not really clear what your logic is for each method, so cant add an answer. But I suspect you want something like `if (db.MembershipSerial.Any(x => x.Id == user && x.Serial == x.SerialConfirmed) { // OK } else { throw error }` in your `PlaceOrder()` method and just `[Authorise]` on the `AddToCart()` method –  Apr 24 '16 at 10:40
  • It is like i have 10 serials entered into my database in serial column as it doesn't allow null, then 10 user come with serial numbers and enter their serial numbers. this serial code should be validated against the serial code which is already in the sql table and allow them to do some specific task – Coding Freak Apr 24 '16 at 10:46
  • where are you getting serial and serial confirmed from ? and what is your authorize attribute logic ? @Naser Dostdar – Faraz Saleem Apr 24 '16 at 13:27
  • @FarazSaleem the whole scenario is to allow logged in users with some specific tasks. but before that they should provide a serial number or code or whatsoever... – Coding Freak Apr 24 '16 at 13:34
  • the provided serial numbers are saved in the db and retrieved from the db? – Faraz Saleem Apr 24 '16 at 13:39
  • @FarazSaleem yes the column Serial is saved on the db while the column SerialConfirmed is also on db but it is null and the user should enter it – Coding Freak Apr 24 '16 at 13:47
  • 1
    the authorize attribute is a static method which is called before a method executes. so you need to save it in a database or a session before accessing it in authorize attribute. I will write a poko classes and methods for you to get a basic understanding of the custom attribute. – Faraz Saleem Apr 24 '16 at 13:54

0 Answers0