Role based Authorization for Razor Pages

Question

In asp.net core it is very easy to define the razor pages authorization for pages and folders as follows:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    });

My problem is that I want to use roles in my project but I can not find a way to define which roles are allowed to view the contents of the page.

I tried to use the Authorize attribute but it does not work with Razor Pages.

The AuthorizePage can take a second parameter which can be used in order to define the policy which will be used in order to determine if the current use can see the specified page or not. I used it as follows:

services.AddAuthorization(options =>
{
    options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Admin"));
});

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Index", "RequireAdministratorRole");
    });

The problem is that it still does noe work. It acts like I have not defined the policy. When I am logged I can see the page and when I am not logged it redirects me to the loggin form.

Is something else that I have to do in order to make it work?

If it acts like you didn't define the policy, then perhaps you didn't add the line to use authentication: `app.UseAuthentication();` — , Jan 09 '18 at 19:29
I used it. I really do not know what is wrong with it. I probably have to add something else in order to activate it. — pitaridis, Jan 09 '18 at 22:31

score 4 · Accepted Answer · answered Jan 09 '18 at 22:43

4

I found what is wrong. In order to apply the changes after I remove the user from the role, I have to logout and login again so that the framework will refresh what the user allows to view.

This is really a problem because if a User has the admin role and for some reason we want to stop him from accessing sensitive data, we cannot stop him until he logs off.

Is there a way to refresh the user’s permissions when I remove a role from his account?

Restarting the application did not remove his permission. The only way to refresh his permissions is when he logs out.

answered Jan 09 '18 at 22:43

pitaridis

2,801
3
22
41

1

I think you'd better ask a new question instead of adding it to this answer. – Jan 09 '18 at 23:11
OK. I will try to make a new question. Thank you Ruard. – pitaridis Jan 09 '18 at 23:15
@pitaridis I find your logout then login tip very useful, upvoted! Do you have the link to your new question? Thanks. – Ray Apr 08 '18 at 23:06

score 2 · Answer 2 · answered May 06 '18 at 23:09

This is due to the user's cookie still being valid. Here is more explanation to it here with a solution. Although it is in ASP.NET, the same concepts should apply for your Razor Pages project:

Refresh current user's role when changed in ASP.NET identity framework?

score 0 · Answer 3 · answered Jun 24 '22 at 17:30

As to your latest question of

Is there a way to refresh the user’s permissions when I remove a role from his account?

Yes you can refresh your logged in user using the SignInManager RefreshSignIn method.

As per the official documentation the method will

Signs in the specified user, whilst preserving the existing AuthenticationProperties of the current signed-in user like rememberMe, as an asynchronous operation.

Role based Authorization for Razor Pages

3 Answers3