3

I have an ASP.NET MVC project. In this project a user can login to my website. All logged in users go to the same page login page. There is a separate section of my website that is then sectioned off only for certain users. This is defined in the Web.config by the following:

<location path="SectionedOff">
  <system.web>
    <authorization>
      <allow users="user1,user2,user3" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

If a user is authorized for this section, I want to show a button on the page that everyone is redirected to upon login. Here is a crude paint drawing of what I am trying to accomplish: Image I already have authentication done along with proper authorization, I just am not sure how to show and hide this button based off of if the user is authorized for a separate section of the website. I have a sneaking suspicion that I will have to read the Web.config file for this information, however, I can't figure out how to read info in a location in the Web.config. Any help would be appreciated :)

Chris
  • 363
  • 1
  • 4
  • 16

2 Answers2

5

The <authorization> section in the web.config file is for securing virtual files and folders. It has absolutely no effect on MVC controllers and actions (unless of course the action is trying to access a physical file).

The proper way to secure MVC controllers and actions is to use the AuthorizeAttribute. See this post for examples of how to use it in conjunction with the AllowAnonymous attribute (the recommended way is to secure everything unless you want to opt out, then apply the AllowAnonymous attribute).

AuthorizeAttribute depends on the IPrincipal and IIdentity interfaces. All of the security frameworks from Microsoft (Identity, Membership, etc.) implement these interfaces, so they work seamlessly with AuthorizeAttribute. If you have a custom security framework, you should implement these interfaces - see this answer.

Once those implementations are in place and added as part of the HttpContext, checking whether the user is logged in and whether they are in a certain role is pretty straightforward.

@if (this.User.Identity.IsAuthenticated)
{
    <input type="button" value="Go somewhere that requires logged in user" />
}

@if (new string[] { "user1", "user2", "user3" }.Contains(this.User.Identity.Name))
{
    <input type="button" value="Go somewhere that requires user1, user2, or user3" />
}

@if (this.User.IsInRole("Admin"))
{
    <input type="button" value="Go somewhere that requires an Admin role" />
}

Alternatively, you could use MvcSiteMapProvider, which automatically hides menu options when the AuthorizeAttribute on the corresponding action doesn't have permission.

Disclaimer: I am a major contributor of the MvcSiteMapProvider project.

Community
  • 1
  • 1
NightOwl888
  • 55,572
  • 24
  • 139
  • 212
  • I actually already have the Authorize attribute applied for authentication, and unfortunately, due to certain project restrictions, I can't enable the roleManager. I could keep the users in string array as you have here, but I was really hoping that there would be a way to grab them from the WebConfig, since they are already defined there under that authorization attribute. – Chris May 31 '16 at 20:41
  • AuthorizeAttribute doesn't go in the web.config. It goes on your controllers and actions. You are applying ASP.NET security, but you need to use MVC security (otherwise you literally have **no** security). – NightOwl888 May 31 '16 at 20:51
  • I know. It is in each controller / on each Action result that it needs to be on. The authentication works just fine, along with the proper authorization for pages. It is just a matter of showing that button only to those who are authorized for the other location. – Chris May 31 '16 at 21:20
0

You could use something like this:

if (User.IsInRole("Manager")) {}

Then inside the if control the visibility of the button using css classes.

That's assuming you have different roles setup.

This method has always worked well in my projects.

James

James Sherburn
  • 99
  • 11