MVC 3 dynamic authorization of multiple roles and users MVC 3 dynamic authorization of multiple roles and users asp.net asp.net

MVC 3 dynamic authorization of multiple roles and users


c# asp.net asp.net-mvc-3 authorization

You can create your own custom attribute that inherits from AuthorizeAttribute and override the OnAuthorize method to do what you need.

This should get you started:

public class ArticleAuthorizeAttribute : AuthorizeAttribute{    public enum ArticleAction    {         Read,        Create,        Update,        Delete    }    public ArticleAction Action { get; set; }    public override void OnAuthorization(AuthorizationContext filterContext)    {        base.OnAuthorization(filterContext);        //do custom authorizization using Action and getting ArticleID         //from filterContext.HttpContext.Request.QueryString or        //filterContext.HttpContext.Request.Form    }}

The usage would look like this:

[ArticleAuthorize(Action=ArticleAuthorizeAttribute.ArticleAction.Update)]

Edit: After looking into this a bit more, it looks like you can't pass this.articleID in to the attribute. However, you do have access to the parameters from filterContext.HttpContext.Request through the QueryString property or the Form property, depending on how you are passing the values. I have updated the code sample appropriately.

A more complete example can be found here

To check for authorization using user role and user list you would do something like this:

        var allowedUsers = new List<string>();        //populate allowedUsers from DB        If (User.IsInRole("Update") || allowedUsers.Contains(User.Identity.Name))        {            //authorized        }

Alternatively, you can do both checks against the DB directly in a single method to keep from making two calls.

c# asp.net asp.net-mvc-3 authorization

Here's a much easier way to accomplish the same thing:

[Authorize]public ActionResult UpdateArticle(ArticleModel model, int articleid){    // if current user is an article editor    return View();    // else    return View("Error");}

c# asp.net asp.net-mvc-3 authorization

I got it working as I wanted when I overrode the AuthorizeCore method and authorizes the way I want to.

    protected override bool AuthorizeCore(HttpContextBase httpContext)    {        if (httpContext == null)        {            throw new ArgumentNullException("httpContext");        }        IPrincipal user = httpContext.User;        if (!user.Identity.IsAuthenticated)        {            return false;        }        if ((_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) && (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole)))        {            return false;        }        return true;    }

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last