0

I have a controller method that is only allowed to be used by users with the canModify role. I have made sure that the user has this role, and that the user is displayed as being a member of this role group. But when I try to edit a post on this account, it displays the "Access Denied" page.

I am not sure where to go from here. I have printed out the roles belonging to the currently logged in user, and it displays "canModify". I have printed out the list of users who possess the role "canModify", and the user I am logged in as is printed out.

GET Edit method in the Controller:

[Authorize(Roles = "canModify")]
    public async Task<IActionResult> Edit(int? id)
    {
        if (id == null)
        {
            return NotFound();
        }

        var post = await _context.Post.FindAsync(id);
        if (post == null)
        {
            return NotFound();
        }
        return View(post);
    }

Where the role is set:

private async Task Admin(UserManager<ApplicationUser> userManager, ApplicationDbContext context)
    {
        await rm.CreateAsync(new IdentityRole("canModify"));
        ApplicationUser admin = new ApplicationUser
        {
            UserName = "admin@test.com"
        };
        if (context.Users.Where(u => u.UserName == admin.UserName).Count() == 0)
        {
            userManager.CreateAsync(admin, "Password123!").Wait();
            userManager.AddToRoleAsync(admin, "canModify").Wait();
        }
    }

This is my Configure method in Startup.cs:

app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();

var scopeFactory = app.ApplicationServices.GetRequiredService<IServiceScopeFactory>();
var scope = scopeFactory.CreateScope();
var roleManager = scope.ServiceProvider.GetRequiredService<RoleManager<IdentityRole>>();
DbInitializer dbi = new DbInitializer(roleManager);
dbi.Initialize(context, userManager);

It should be the case now that the admin can edit the posts in the system, but it says access denied.

Jed
  • 15
  • 1
  • 1
  • 5
  • In your case user is not authenticated properly. Do you customize the register user process ? – Muhammad Azim Dec 31 '18 at 04:45
  • I used the scaffolding to include individual user accounts, and extended IdentityUser to make my app use "ApplicationUser". So I have not touched the registration page. – Jed Dec 31 '18 at 04:51
  • I have passed the logged in user object to the view, and printed out the list of roles attached to the logged in user, and it displays canModify. If I print out the users attached to canModify, it prints out the correct email. So I'm not sure what is happening. – Jed Dec 31 '18 at 04:54
  • How could you call this Edit Method ? Do you login before calling this method ? – Muhammad Azim Dec 31 '18 at 05:05
  • @MuhammadAzim Yeah. The method belongs to the PostController class, the PostController class is annotated with [Authorize] so you have to be logged in to view it. Then the Edit methods within this class are annotated with [Authorize(Roles = "canModify")]. – Jed Dec 31 '18 at 05:07
  • https://i.imgur.com/PAA57ff.png This is what I mean with regards to printing the user/role permissions. – Jed Dec 31 '18 at 05:09
  • Could you please check this link :https://stackoverflow.com/questions/20132795/asp-net-identity-check-user-roles-is-not-working – Muhammad Azim Dec 31 '18 at 05:25
  • I just read it, and unfortunately does not fix my problem. I have checked the case of my role name obsessively to make sure I have not made a very silly mistake. The problem is the app for some reason thinks the user does not have a role that they do have, since it is in the database etc. – Jed Dec 31 '18 at 05:38

0 Answers0