I know you can set the authorize attribute at and the controller level and at the action leve, but lets say I have a table in a view and I want some users to be able to only see certain columns and some users can edit certain columns. How can I achieve this?
You'd filter the grid based on the user/role (in the controller action that builds the grid). Same for edit feature. Hide/display the edit button for certain users.
There is no out of the box declarative security solution I know about for such granular level like a view parts. You should build the views on your own and allow to render some of its parts based on the set of roles some users have and some users don't. You can also create separate partial views depends on how much they are going to differ based on the authorization levels in your system.
Related
I am developing a mvc 5 web application which allow user to select language and currency to be displayed to them, in which the choice of language and currency they selected is expected to be retrievable throughout the controller and view.
Do note that the user i referring here is anonymous user (which is user that do not log in) so i do not intend to save their selection to database.
I am thinking of using session to store the selection. However, it seems not a good choice of to me as these are only two values that i need to store in session. Is there any other better alternative?
An alternative is to put language in url
{language}/{controller}/{action}/{id}
e.g.
en/home/index
fr/home/index
Advantage is that the url is bookmarkable and clearer
An example implementation: http://adamyan.blogspot.sg/2010/07/addition-to-aspnet-mvc-localization.html
For currency, I'll probably determine it from the culture of user, or at least use that value as default for first time user. If you want to let user be able to change it, cookie is fine in my opinion.
On my C# 2.0 (.NET CF) program, I need to create a theme based GUI (with Controls that are non .NET and 3rd party) . I will be doing it in such a way that the user can customize the colors, fonts, toolbar/tabcontrol positions and etc. Then I need to store this into some file/XML then later on retrieve it by just using a simple serialization/deserialization. But my problem is where to put this? shall this go to model, view, or controller?
thanks
A theme based user preferences information is "data" and does not belong to any of the main MVC folders. Data is always seperate from these folders.
If you are sure that you don't want to store it in database or NO-SQL data storage, but want to use a file instead, you can create a seperate folder in the root folder for this purpose. Alternatively you can use resx files and .NET ResourceManager class if your preferences will be key-value pairs. (RESX tutorial : http://msdn.microsoft.com/en-us/library/gg418542(v=vs.110).aspx )
Please see below for summaries of what model, view, contoller should contain and why they are not suitable to include theme based user preferences.
MODEL: The model "represents" the data, and does nothing else. Representation is the keyword here. User theme preferences are actual data and does not belong to here.
VIEW: The view displays the model data, and sends user actions (e.g. button clicks) to the controller thus it's not suitable for storing a user preferences data.
CONTROLLER: The controller provides model data to the view, and interprets user actions. Your file clearly is not a controller and
does not belong to here.
(For a detailed explanation of what MVC concepts are and to see some examples: http://blog.codinghorror.com/understanding-model-view-controller/)
Say there are three roles, namely:
Registered
Administrator
Sponsor
I'd like users to be able to self-register as Registered (easy enough out-of-box).
I'd like an Administrator to be able to see all registered users and check off the "Sponsor" checkbox, making the user a Sponsor.
Once the user is "checked" as a Sponsor, the Administrator should be able to add additional parameters for the Sponsor, including logo and Sponsor URL, which webpage(s) they are sponsoring, the valid date range for the sponsorship by webpage, the number of impressions and clicks, and also "paid/not paid".
I'm trying to wrap my head around Memberships and Profiles, and see how they apply to this.
Can anyone provide a general framework as to how I can properly architect this? Are there Nuget packages to do just this?
Advice appreciated.
Maybe my answer to another question will help a bit Using out of the box aspnet membership for public facing website
In Nuget - Thinktecture.IdentityModel is a way to go.
Use the table profile provider.
You can then edit the values in this table directly through a simple page.
Excluding the profile provider, is there an easy way to add custom fields to ASP.NET membership?
You can then use the web interface to assign a user to a role as an admin:
http://msdn.microsoft.com/en-us/library/t32yf0a9.aspx
Or simply code this page and use Roles.AddUserToRole
http://msdn.microsoft.com/en-us/library/system.web.security.roles.addusertorole.aspx
I am creating a new support center and "self-help" customer service module for an application. The CIO really likes the flow of eBay's "Contact Us" pages, that basically work like this:
First, you select a specific topic from a group of topics (e.g. Buying, Selling, Account on eBay)
You're then presented with what appears to be one of three variable types of information, based on the topic you picked (names are just what I'm calling them in some preliminary sketches):
"Descriptive": displays rich text with possible links to other parts of the application.
"Choice": Displays a list of additional topics
"Action": Lets the user look up an item and do some action (e.g. cancel)
From some experimentation, a choice can list to other choices, or to a descriptive block of text, or to an action section.
I'm turning up blanks as to the proper architecture for this. My platform of choice is ASP.NET (WebForms, sadly; we have no desire to touch MVC here) so the "Action" areas would have to be a user control that's dynamically loaded into a placeholder, but I'm more concerned with a possible database structure for this. I would need a way to know if each topic leads to one of the three types above and then on the page dynamically load either the content, list of links, or user control which makes things a bit trickier, nevermind the fact that a non-technical user will have to update and add the information from some kind of administrative panel.
Any suggestions for doing something like this? I'm not on a tight deadline, but I can't take too long or I'll be considered to be wasting time and not producing results.
If you can store the "tree of knowledge" in some way, like a custom XML file which would organize all options / possible actions, descriptions etc. Then you can "walk" it based on user's selections and display appropriate user control with content generated on the fly based on the contents of the XML node you're currently at.
Your "admin tool" would then need to update/modify the XML file, and your "public" CMS would render user controls inside an ASPX form.
One of the projects I worked on used this methodology for intranet's user menu - effectively a knowledge base of hyperlinks / actions split in to categories so they can be drilled-down to. Each element can contain links to other elements - so you have a spider-web like navigatable chain / workflow.
Just make sure each element has a unique ID (trivial to implement) and you can always get at it through xpath.
By having users modify a "working copy" and keeping backups of the live XML file when changes are published you also get versioning / roll-back which would be difficult to do in a DB.
If I personally was doing this I would just roll some MVC3 controllers that handle the work flow steps as needed. That seems to be out for you however.
With webforms, I would most likely consider handling this using Windows Workflow Foundation (the learning curve is moderately steep on this). Here's a pretty good example on using WF Flexible Web UI Workflow application through ASP.NET MVC & Windows Workflow Foundation. It's built on MVC however you could easily replace the return Views() with return UserControls.
Following a model like this would defacto give you the MVC pattern. The controller dictating flow matches very well for a workflow scenario.
Edit: Since this even seems out of the question, at this point you're best option is just writing a controller class that will manage the flow manually (probably a bunch of state / if checks) and then redirect users or return the appropriate user control.
I have two roles being used on my site currently, author & admin. Authors cannot access user administration functions. However, they should be able to edit certain parts of their profile. An admin is currently able to edit all parts of a user's profile. For example:
employee ID [admin]
display name [author,admin]
roles [admin]
I would like to re-use code where possible. I'm not sure what the best solution would be here. There are 2 things to deal with
Only allowing a user to edit their own profile and not others
Restricting which fields that user can edit vs which fields an admin can edit
I think #1 is best achieved by a custom Authorize attribute (I already have one I can extend further). If you have a better approach please share. And #2 I am unsure, view model? I have my allowed fields bound for a user using a partial class which would be different for each role.
Your solution for #1 is spot on, you need to use the AuthorizeAttribute.
For #2 you can just do security trimming where you only render for the particular user.
Some pseudo code in your view (or move it to a partial view):
if administrator
render employee ID text box
if administrator || author
render display name text box
if administrator
render roles check list
So you're going to need to control how to determine if the user is in a "role". You can use ASP.NET's Membership Provider or roll something of your own.