0

There are currently 3 roles - Admin, Manager and Writer. There are some methods inside HomeController and most of them are common for both Admin and Manager, few for only Admin, and few for Writer. There are around 30 methods. And 25 will be common for Admin and Manager, 1-2 for only Admnin. And 1-2 for all of 3 roles.

  • Only 1 method named ForWriterOnly() should be available for everyone
  • Writer should not have access to any of other methods, but Admin and Manager should have access
  • There are some methods which are only for Admin, and not for Manager and Writer

What is the best way to achieve the 3 cases mentioned above ? How can I exclude Writer for most of the other methods except ForWriterOnly() ? And how can I exclude Admin for accessing some other methods ?

I know I could write [Authorize(Roles = "Admin, Manager")] for those 25 common methods for Admin and Manager but I am looking for a simpler solution.

Please make modifications in my code so that it will be easier to understand.

 [Authorize(Roles = "Admin, Manager, Writer")]
 public class HomeController : Controller
 {

        public async Task<IActionResult> ForEveryone()
        {
            return View();
        }

        public async Task<IActionResult> ForAdminAndManager()
        {
            return View();
        }

        public async Task<IActionResult> ForWriterOnly()
        {
            return View();
        }

        public async Task<IActionResult> ForAdminOnly()
        {
            return View();
        }

        public async Task<IActionResult> ForAdminAndManager1()
        {
            return View();
        }

        public async Task<IActionResult> ForAdminAndManager2()
        {
            return View();
        }
        ...........
        // There are around 30 other methods which are common for both Admin and Manager

}
Vim
  • 161
  • 2
  • 3
  • 11

2 Answers2

0

First of all if you use [Authorize(Roles = "Admin, Manager, Writer")] above your controller then this will provide access to your entire HomeController and its actions to Admin, Manager, Writer Roles.

There are several ways of achieving this, but in my opinion I'd seperate my controllers. But for simplicity I will continue on your situation.

 // Normally your controller will be accessible by only Authenticated users.
 [Authorize]
 public class HomeController : Controller
 {

        //In here you want your action to be accessible by everyone.
        //So you dont have to give any attributes in here.
        public async Task<IActionResult> ForEveryone()
        {
            return View();
        }

        [Authorize(Roles = "Admin, Manager")]
        public async Task<IActionResult> ForAdminAndManager()
        {
            return View();
        }

        [Authorize(Roles = "Writer")]
        public async Task<IActionResult> ForWriterOnly()
        {
            return View();
        }

        [Authorize (Roles = "Admin")]
        public async Task<IActionResult> ForAdminOnly()
        {
            return View();
        }

        [Authorize(Roles = "Admin, Manager")]
        public async Task<IActionResult> ForAdminAndManager1()
        {
            return View();
        }

        [Authorize(Roles = "Admin, Manager")]
        public async Task<IActionResult> ForAdminAndManager2()
        {
            return View();
        }
}
Burak
  • 467
  • 4
  • 16
0

You Can Specified Roles For each Action.

Allow multiple roles to access controller action

If use [Authorize] above Controller. you should use [AllowAnonymous] for actions that you want accessible by everyone.

Role-based authorization in ASP.NET Core

 [Authorize]
 public class HomeController : Controller
 {
    [AllowAnonymous]
    public async Task<IActionResult> ForEveryone()
    {
        return View();
    }

    [Authorize(Roles = "Admin, Manager")]
    public async Task<IActionResult> ForAdminAndManager()
    {
        return View();
    }

    [Authorize(Roles = "Writer")]
    public async Task<IActionResult> ForWriterOnly()
    {
        return View();
    }

    [Authorize (Roles = "Admin")]
    public async Task<IActionResult> ForAdminOnly()
    {
        return View();
    }

    [Authorize(Roles = "Admin, Manager")]
    public async Task<IActionResult> ForAdminAndManager1()
    {
        return View();
    }

    [Authorize(Roles = "Admin, Manager")]
    public async Task<IActionResult> ForAdminAndManager2()
    {
        return View();
    }

}

Amin Golmahalleh
  • 3,585
  • 2
  • 23
  • 36