I have MVC application with fixed set of roles: Admin, Management, Student
One of the new roles (Student) should have limited access to the application.
I have lot of methods and don't want to write [Authorize(... attribute for each of them.
Is there a way to define them once for all of the methods?
It's possible to define Authorize attribute also on a controller.
To define it only once I can use BaseController. When I have one common controller, that every other controller inherits from I can write this:
[Authorize(Roles = "Administrator, Management")]
public abstract class BaseController : Controller
{...
Then in some other controller:
public class ClassController : BaseController
{
...
[Authorize(Roles = ("Administrator, Management, Student"))]
public ActionResult Method()
{
...
This will ensure that role Student will have access only to the Method and not any other method defined in any of the controllers.
Related
I would like to list all the available endpoints a controller provides.
Is it possible to access the component(s) .NET uses to generate these routes (by, for instance providing it a type or controller name (string))?
The methods/verbs (so, POST, GET) are not even that important for my scenario, just the routes themselves.
Example
Please, take a look on the below ASP.NET Core code.
[ApiController]
[Route("[controller]")
public class HomeController : ControllerBase
{
[HttpGet("additional")]
public async Task<IActionResult> Whatever()
{
// ...
}
}
So, the method will be exposed as a GET endpoint on the URL of Home/additional.
I have a working authorization based on roles like this.
[Authorize(Roles = "Super, Common")]
[Route("api/[controller]")]
public class MemberController : Controller
{
...
[HttpGet("Member/{id}")]
public IActionResult GetMember(Guid id)
{
Member output;
...
return Ok(output);
}
}
The problem now is that any member can see any other. I'd like the method to be authorized so that:
If the given member has the role of "common" (the ID is in the claims), they can fetch info about themselves.
If the given member has the role of "super", they can fetch info about themselves but also about any other member in their organization.
If the given member has the role of "admin", they can fetch info about themselves and any member in their organization but also about any other member in the database as a whole.
My way to resolve it is to build in logic in the controller fetching and checking. However, I know that there are security policies in the framework, which can be configured in the Start class.
I wonder if said task is possible to resolve using policy configuration to begin with or if I'm doomed to hack the logic myself in the method of the controller. I can't determine it myself as I lack the competence. Is that a feasible strategy?
Everytime that i need to do a Roles.IsUserInRole or user User.IsInRole i have a timeout:
This is the role class:
But doing a GetAllRoles works properly:
Why?
After more reading i realiaze that i was missing this:
[InitializeSimpleMembership]
public class HomeController : Controller
Adding [InitializeSimpleMembership] to the home controller resolves the issue.
I have an ASP.NET MVC3 web application with C# and Razor.
Through a form in a View I get the Context.User.Identity.Name submitted to an action method in a Controller A.
I would like to have available this variable application-wide (between multiple controllers).
Now I am just able to assign it to a global variable _UserName within the Controller A, but of course it is not available in Controller B.
Is it possible to do that?
Thanks
Francesco
If you are accessing this in any controller, you should use HttpContext.User.Identity in your controller methods - it will be available there. No need to store in the session.
Create a parent controller from which all your controllers inherit from and set the variable there. You could do a number of things with it from there--wrap it in a view model, put some user details into the ViewBag, etc
public class UserController : Controller
{
// create your own User class with as many properties as you need
protected User user { get; set; }
public UserController()
{
user = // get user from db, wherever
}
}
Then, just inherit from UserController
public class ControllerA : UserController
{
public ActionResult DoSomething()
{
user.Property = 123;
}
}
You should look into caching and possibly using the users session store this information.
Check out this question.
I have a BaseController that all Controllers inherit from. The CaseController has the [Authorize] annotation, so that all controllers require authorization.
But I've just realized that one single controller action must not require authorization. How can I turn off [Authorize] for just that one controller action?
using System.Web.Mvc;
using Unleashed.Service.Interfaces;
namespace Controllers
{
[Authorize]
[RequireHttps]
public class BaseController : Controller
{
}
}
And the controller action is called via a POST from another site. They authorize by passing a token. They will not be authorized via forms authentication.
[Authorize=false] // doesnt compile
[Authorize(false)] // doesnt compile
public ActionResult DoSomething(string token, string data)
{
}
Solved by creating a new controller that does not inherit from BaseController, and adding the action to that controller. Now this one action does not require authorization, and all existing actions remain as is.