MVC 3 dynamic authorization of multiple roles and users
You can create your own custom attribute that inherits from AuthorizeAttribute
and override the OnAuthorize
method to do what you need.
This should get you started:
public class ArticleAuthorizeAttribute : AuthorizeAttribute{ public enum ArticleAction { Read, Create, Update, Delete } public ArticleAction Action { get; set; } public override void OnAuthorization(AuthorizationContext filterContext) { base.OnAuthorization(filterContext); //do custom authorizization using Action and getting ArticleID //from filterContext.HttpContext.Request.QueryString or //filterContext.HttpContext.Request.Form }}
The usage would look like this:
[ArticleAuthorize(Action=ArticleAuthorizeAttribute.ArticleAction.Update)]
Edit: After looking into this a bit more, it looks like you can't pass this.articleID in to the attribute. However, you do have access to the parameters from filterContext.HttpContext.Request
through the QueryString
property or the Form
property, depending on how you are passing the values. I have updated the code sample appropriately.
A more complete example can be found here
To check for authorization using user role and user list you would do something like this:
var allowedUsers = new List<string>(); //populate allowedUsers from DB If (User.IsInRole("Update") || allowedUsers.Contains(User.Identity.Name)) { //authorized }
Alternatively, you can do both checks against the DB directly in a single method to keep from making two calls.
Here's a much easier way to accomplish the same thing:
[Authorize]public ActionResult UpdateArticle(ArticleModel model, int articleid){ // if current user is an article editor return View(); // else return View("Error");}
I got it working as I wanted when I overrode the AuthorizeCore method and authorizes the way I want to.
protected override bool AuthorizeCore(HttpContextBase httpContext) { if (httpContext == null) { throw new ArgumentNullException("httpContext"); } IPrincipal user = httpContext.User; if (!user.Identity.IsAuthenticated) { return false; } if ((_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) && (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))) { return false; } return true; }