0

I'm quite new to ASP.NET MVC5. I tried to build a Booking application with Users and Admin. A User can register themselves, and book items, show their own booking information using their own profile (after login).

I want Users to be able to log in to their profile and create/read their own booking. They should only be authorized to their own profile after login. The Admin should have access to all of the controller.

I tried to find a tutorial on doing this but I can only restrict the access to a controller based on a role only (eg; Admin), but not by specific User with their own Id (eg; User1 can only access User1 information).

I appreciate any kind of response. Thank you very much.

StudyProgramming
  • 45
  • 9
  • 1
    User1 only having access to User1's info would be part of the business logic within the controller action, I would think, because until you query the database you don't know whether the item being requested is associated with User1 or not. So you'd have to query it and then return a Forbidden response if it turns out to an item they don't have access to. Equally though if your action is just "fetch user profile", then when the action runs you know who the user is, so you can always just return them their own profile, it should be impossible to ever get another user's profile. – ADyson Apr 07 '18 at 13:22
  • Thank you very much! I got the idea of implementing the logic within the controller. But i didn’t have idea on how to implement it properly. As an example, I have a Booking controller, Index (int Id), which can receive the user Id to redirect them to their own booking. User is one role, so if one user logged in, they can still change the URL to other Users Id to check the others booking. I want to restrict this. – StudyProgramming Apr 08 '18 at 01:54
  • 1
    So, in that scenario, you still have to execute the action method. But presumably when you query the database, at that moment you can find out whether the user in fact has permission to that booking or not. If they don't, you can return an error message instead of the booking information. – ADyson Apr 08 '18 at 10:38
  • How do I implement the permission checking? I’m thinking of storing the Id to a ViewBag to check it againts its requested Id but maybe this is a poor practice. I would like to get some idea from you kind sir. =) – StudyProgramming Apr 08 '18 at 11:08
  • I don't think viewbag is relevant here. In the simplest scenario your Bookings table in the database should have a column containing the user ID of the user who has permission to that booking. The requested booking ID comes to you in the parameters of the action method. You read that row from the database which has the booking ID as its primary key, and then check whether the associated user ID matches the ID of the currently logged in user. If it does, then show the booking details. If not, then show an error. – ADyson Apr 09 '18 at 06:06

1 Answers1

1

This is a multi-tenant application, so you should read a bit about multitenancy. Also, this works quite nicely with the claims authorization, so you should read that too.

You can create a simple permission model, with 3 permissions (read, create, edit). Every user has one or more claims to the resources (resource can be an URL for its profile, or user id in the database). Each resource claim can have one or more permissions for the operations which user can execute on this resource.

This way you can give your users a full permissions (R,C,E) on his own profile entries. Also, user can give some permissions to other users (for example, he can give read permissions to everyone, or edit permissions to his friends). This makes user an 'administrator' of his own profile, and he can give some limited permissions to the other users.

You can group the permissions into roles, so when you give user a role, all the permissions (and claims) are automatically created for him.

For the controller actions, you can look for a ClaimsAuthorizeAttribute (there are a few on SO, like this one: MVC5 Claims version of the Authorize attribute). Also, there's a great library with a lot of helpers in the IdentityServer projects here: https://github.com/IdentityServer