31

In my View I have some admin links that I would like to hide and show based on user role how can do this inside the view e.g.

<%= if(CHECK IF USER ROLE ADMIN) { %>
        <div class="tools">
            <ul>
                <li class="edit"><%= Html.ActionLink("Edit", "Edit", new { id = Model.storyId }) %></li>
                <li class="delete"><%= Html.ActionLink("Delete", "Delete", new { id = Model.storyId }) %></li>
            </ul>
        </div>
<%= } %>
Cameron
  • 27,963
  • 100
  • 281
  • 483
  • 8
    You might want to just perform this check in your action and put the value into ViewData hash or as a property on your viewmodel to keep your views dumb. – Roman Jan 06 '11 at 00:44
  • I would prefer to just check inside the view using a simple if statement. I've done it before but just can't remember the code. – Cameron Jan 06 '11 at 00:47
  • 1
    Just because you've done it before doesn't make it a great idea. Remember any code (however trivial) you put into your view is code you can't (at least easily) write tests against or refactor. Rob Connery also wrote a great post a while back on [Avoiding Tag Soup](http://blog.wekeroad.com/blog/asp-net-mvc-avoiding-tag-soup/). – Roman Jan 06 '11 at 00:52
  • Also, what does "user role is admin" mean. Are we talking about windows credentials or your application's definition of *administrator*? – Roman Jan 06 '11 at 00:54
  • 1
    I don't see any reason to not have it in the View if it's just a simple check for a role to show links. I also have checks in the Controller against the Edit and Delete methods so users still have to have access, but I also wanted to show the links to the correct users to make it easier. I can't see a problem. – Cameron Jan 06 '11 at 01:00
  • @R0MANARMY Can you give an example of how you would do this? Because the way I see it, if you use ViewData, you still need to check the value to know whether or not to display the links. – Shawn Mclean Sep 22 '11 at 20:05
  • Is this a good security safe approach, by putting a security related property in the ViewModel, e.g. AdministratorRole? FYI I've just done this now, and can access the ViewModel property in the view and show/hide "stuff" accordingly. If not, is there a better, secure way of doing this? – OpcodePete Mar 14 '14 at 06:47

3 Answers3

64
@if (this.User.IsInRole("Administrator"))
{

}
Pažout
  • 2,061
  • 20
  • 10
27
<% if (Page.User.IsInRole("Admin")){ %>

<%}%>

However this is a terrible idea in my opinion. It is better to let the ViewData or Model represent what the view is to display, and the view can simply check the view data. A controller base class or an action filter can make repetitive use of this very simple and allow the code to exist in one place.

CRice
  • 12,279
  • 7
  • 57
  • 84
  • 1
    I usually use a ViewModel to send this kind of info from a controller. However, I'm trying to display certain things in my main _Layout.cshtml based on roles. Just how "terrible" is the idea, and why? Would it be worth it to create strongly typed partial views just to add a class here and there showing and hiding content, or is this select use of a helper method in my _Layout fine? I just get nervous about generalized claims that things are "terrible ideas". – Methodician Jan 23 '16 at 02:19
  • You can just have the view model define what to show and work out all your roles logic in the controller (or a class the controller uses) and assign the view model appropriately. Checking it directly still works but will be less maintainable in larger projects and is messier for the view to deal with. – CRice Jan 24 '16 at 23:11
  • 1
    You can make the call if it's worth it or not based on your situation. – CRice Jan 24 '16 at 23:18
  • I'm in the same boat as @Methodician, but I can't seem to find any suitable alternatives. – Sinjai Aug 17 '17 at 20:52
-1

I agree with most others that this data should be provided "pre-determined", if you will, by the controller or other business services whereas the View simply uses, as much as possible, html markup and language control structures to "flesh out the page" using other typical web page building goodies such as jquery, css, etc. etc.

  • 1
    I dont quite understand your statement, could you rephrase? – Shawn Mclean Sep 22 '11 at 20:03
  • He means the view should not have advanced logic beside displaying something. All the main logic (business processes, data management and access rights as described here) shall be performed by the controller and result stored somewhere for the view to consume. – Christophe Jan 21 '21 at 19:57