I am busy writing my own custom attribute for my action method called MyAuthorizeAttribute, I am still busy writing the code, here is my partial code:
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
public class MyAuthorizeAttribute : AuthorizeAttribute
{
public new Role Roles;
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (Roles != 0) // Did it this way to see what the value of Roles was
return;
// Here I am going to get a list of user roles
// I'm doing my own database calls
filterContext.Result = new HttpUnauthorizedResult();
}
}
Here is my Role enum:
public enum Role
{
Administrator = 1,
SuperAdministrator = 2
}
My action method:
[MyAuthorize(Roles = Role.Administrator|Role.SuperAdministrator)]
public ActionResult Create()
{
return View();
}
The reason why I did not use Roles = "Administrator,SuperAdministrator" was because the roles are hard-coded. I don't want to have a 100 places to change if the role name changes.
Given my method, when it gets to if (Roles != 0) then Roles total value is 3, how would I check to see if these 2 roles is in the list of user roles for a specific user?
Am I doing it correct here? If not how would I otherwise implement this? It doesn't have to be the way that I did it in.
Would it not be better if MyAuthorizeAttribute accepted an IList ( or similar)
That way it is both typesafe, but you don't have to use bit flags.
Bit flags are great if you want to save the reult, but this is the other way.
Edit (Now with examples):
Attribute:
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
public class MyAuthorizeAttribute : AuthorizeAttribute
{
public Role[] RoleList { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
//Only role access is implemented here
/*if ((this._usersSplit.Length > 0) && !this._usersSplit.Contains<string>(user.Identity.Name, StringComparer.OrdinalIgnoreCase))
{
return false;
}*/
if ((RoleList.Length > 0) && !RoleList.Select(p=>p.ToString()).Any<string>(new Func<string, bool>(user.IsInRole)))
{
return false;
}
return true;
}
}
Controller:
[MyAuthorize(RoleList = new []{Role.Administrator , Role.SuperAdministrator} )]
public ActionResult Create()
{
return View();
}
If I understand correctly, your problem here is not with inheriting the AuthorizeAttribute, but rather with comparing enum values. You probably want an enum type that you can use as a bit flag - if so, take a look at the section about Enumeration Types in the C# Programming guide especially the second part, "Enumeration Types as Bit Flags".
To clarify a bit:
Instead of just checking Roles!=0, you could now do something like this:
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
// Here you get an enum indicating the roles this user is in. The method
// converts the db information to a Role enum before it is returned.
// If the user is not authenticated, the flag should not be set, i.e. equal 0.
Role userRole = GetUserRolesFromDatabase();
// Bitwise comparison of the two role collections.
if (Roles & userRole > 0)
{
// The user is in at least one of the roles in Roles. Return normally.
return;
}
// If we haven't returned yet, the user doesn't have the required privileges.
new HttpUnauthorizedResult();
}
To make the comparison easier, you could use the following extension method on your enum:
public static class RolesExtensions
{
public static bool HasAnyOf(this Roles r1, Roles roles)
{
return (r1 & roles) > 0;
}
}
Related
I have an HTML form that is sent to a controller action (via POST) based on MVC.
The form contains different inputs. There are extra inputs if the user has certain claims.
For example, if the User is administrator, he/she sees an additional text area for comments.
public class MySubmit
{
public string Name { get; set; }
public string IsActive { get; set; }
// only an administrator should be able to set this field
// for all other users, this should be empty
public string Comment { get; set; }
}
public class MyController : Controller
{
public IActionResult MyActionResult(MySubmit submit)
{
}
}
What is the best and safest way to process the result on the action?
Theoretically it is possible that the a tries to submit values although he/she does not actually see the corresponding form controls, because he/she does not have the claim.
I would like to set default values used for field values instead, if the user does NOT have these claims - no matter what values he sends for these fields.
Is there anything built in?
Bryan Lewis gave the right hint: Fluent Validation.
Fluent Validation has the ability to use the HTTP context via Dependency Injection to receive the user and perform a claim comparison:
public class YourModelValidator: AbstractValidator<YourModel>
{
public YourModelValidator(IHttpContextAccessor httpContext)
{
RuleFor(x => x.YourProprty).Custom( (html, context) =>
{
var user = httpContext.User;
if (!user.HasClaim(c => c.Type.Equals(claim))
{
context.AddFailure("Claim is missing.");
}
});
}
}
You can validate the value, but you should not set the value.
Is there anything built in?
No. There's no built-in way to do that.
Design
You might want to achieve that with a custom model binder. But I believe that's not a good way. Because you'll have to process all kinds of input formatters at the same time. Think about somewhere your action expects a [FromForm]MySubmit mySubmit while another action expects a [FromBody] Submit mySubmit. The first action requires a payload of form, while the second action might expect a JSON. Even you take care of the two above scenarios, what about you want to enable XML payloads in future? In short, you can hardly write a general Model Binder for this.
Validation might help. But validation usually makes you repeat yourself if you have several models( Think about you have ten domain models, each one has several properties that requires some claims)
IMO, a better way is to use ActionFilter. Since ActionFilter takes place after the model binding, it would be possible to erase the field when the field requires a role.
To do that, create a custom attribute to mark which property requires some role:
[AttributeUsage(AttributeTargets.Property, AllowMultiple=false)]
internal class RequireRolesForBindingAttribute : Attribute
{
public string[] Roles {get;}
public RequireRolesForBindingAttribute(params string[] roles)
{
this.Roles = roles;
}
}
Now when some roles are required, simply annotate the target property like below:
public class MySubmit
{
public string Name { get; set; }
public string IsActive { get; set; }
// only an root/admin can bind this field for all other users, this should be empty
[RequireRolesForBindingAttribute("root","admin")]
public string Comment { get; set; }
public Sub Sub{get;set;} // test it with a complex child
}
public class Sub{
public int Id {get;set;}
public string Name {get;set;}
[RequireRolesForBindingAttribute("root","admin")]
public string Note {get;set;}
}
The above data annotation represents that the two properties should be erased if the user has no rights:
Comment property of MySubmit
Note property of Sub
Finally, don't forget to enable an custom action filter. For example, add it on action method:
[TypeFilter(typeof(RequireRolesForBindingFilter))]
public IActionResult Test(MySubmit mySubmit)
{
return Ok(mySubmit);
}
An Implementation of RequireRolesForBindingFilter
I create an implementation of RequireRolesForBindingFilter for your reference:
public class RequireRolesForBindingFilter : IAsyncActionFilter
{
private readonly IAuthorizationService _authSvc;
public RequireRolesForBindingFilter(IAuthorizationService authSvc)
{
this._authSvc = authSvc;
}
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
// skip early when User ==null,
// if you don't want to allow anonymous access, use `[Authorize]`
if(context.HttpContext.User !=null) {
await this._checkUserRights(context.ActionArguments, context.HttpContext.User);
}
await next();
}
private async Task _checkUserRights(IDictionary<string, object> args, ClaimsPrincipal user){
// handle each argument
foreach(var kvp in args){
if(kvp.Value==null) { return; }
var valueType = kvp.Value.GetType();
if(await _shouldSetNullForType(valueType, user)) {
args[kvp.Key] = valueType.IsValueType? Activator.CreateInstance(valueType) : null;
}else{
// handle each property of this argument
foreach(var pi in valueType.GetProperties())
{
var pv = pi.GetValue(kvp.Value);
await _checkPropertiesRecursive( instanceValue: kvp.Value, propInfo: pi, user: user);
}
}
}
async Task<bool> _shouldSetNullForType(Type type, ClaimsPrincipal user)
{
// the `RequireRolesForBindingAttribute`
var attr= type
.GetCustomAttributes(typeof(RequireRolesForBindingAttribute), false)
.OfType<RequireRolesForBindingAttribute>()
.FirstOrDefault();
return await _shouldSetNullForAttribute(attr,user);
}
async Task<bool> _shouldSetNullForPropInfo(PropertyInfo pi, ClaimsPrincipal user)
{
// the `RequireRolesForBindingAttribute`
var attr= pi
.GetCustomAttributes(typeof(RequireRolesForBindingAttribute), false)
.OfType<RequireRolesForBindingAttribute>()
.FirstOrDefault();
return await _shouldSetNullForAttribute(attr,user);
}
async Task<bool> _shouldSetNullForAttribute(RequireRolesForBindingAttribute attr, ClaimsPrincipal user)
{
if(attr!=null) {
var policy = new AuthorizationPolicyBuilder().RequireRole(attr.Roles).Build();
// does the user have the rights?
var authResult = await this._authSvc.AuthorizeAsync(user, null, policy);
if(!authResult.Succeeded){
return true;
}
}
return false;
}
// check one property (propInfo) for instance `instanceValue`
async Task _checkPropertiesRecursive(object instanceValue, PropertyInfo propInfo, ClaimsPrincipal user){
if(instanceValue == null) return;
Type propType = propInfo.PropertyType;
object propValue = propInfo.GetValue(instanceValue);
if(await _shouldSetNullForPropInfo(propInfo, user))
{
propInfo.SetValue(instanceValue, propType.IsValueType? Activator.CreateInstance(propType) : null);
}
else if( !shouldSkipCheckChildren(propType) && propValue!=null ){
// process every sub property for this propType
foreach(var spi in propType.GetProperties())
{
await _checkPropertiesRecursive(instanceValue: propValue , spi, user );
}
}
bool shouldSkipCheckChildren(Type type) => (type == typeof(string) || type == typeof(DateTime));
}
}
}
Demo:
When some user, who has no rights to submit the comment and note filed, sends a payload as below:
POST https://localhost:5001/home/test
cookie: <my-cookie>
Content-Type: application/x-www-form-urlencoded
name=a&isActive=true&comment=abc&sub.Name=s1&sub.note=magic
The response will be:
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json; charset=utf-8
Server: Kestrel
Transfer-Encoding: chunked
{
"name": "a",
"isActive": "true",
"comment": null,
"sub": {
"id": 0,
"name": "s1",
"note": null
}
}
There are really two actions that you want to perform -- validation and conditional editing of the incoming model. For complex validation, you should consider using something like FluentValidation (https://fluentvalidation.net/), which is quite flexible, integrates with MVC's ModelState and will allow you to check all sorts of things based on conditions. It's not clear from your post if you referring to "claims" in the general sense or specifically to ASP.Net Identity Claims -- either way, you can pull identity information into the FluentValidation Validator and create conditional checks based on identity information. The validators (FV or otherwise) don't really handle resetting/editing the model. For your example, you can simply alter the model directly after the validation is complete.
// if Validation is successful
if (isAdmin) { // however you are checking their role
submit.Comment = null; // or whatever the default value should be
}
// Do something with the incoming model / dave to DB etc
I have AuthActivityAttribute class. the purpose of this class is to authorize that the user have permission to perform specific activity.
Attribute Class :
[AttributeUsage(AttributeTargets.All)]
public class AuthActivityAttribute : Attribute
{
#region Properties
public string ActivityName { get; set; }
#endregion
#region Constructor
public AuthActivityAttribute()
{
}
#endregion
#region MemberFunctions
private List<aspnetactivities> GetUserActivities(ApplicationUser currentUser)
{
IList<string> roles = DALAccessObjectObj.UserDALObj.GetUserRoles(currentUser);
List<aspnetactivities> lstAspnetActivites = new List<aspnetactivities>();
foreach (string role in roles)
{
List<aspnetactivities> activities = DALAccessObjectObj.UserDALObj.GetRoleActivity(role);
lstAspnetActivites.AddRange(activities);
}
return lstAspnetActivites;
}
public void ValidateUserActivity()
{
DALAccessObjectObj.UserDALObj = new UserDAL();
ApplicationUser currentUser = DALAccessObjectObj.UserDALObj.GetUserById(HttpContext.Current.User.Identity.GetUserId());
if (GetUserActivities(currentUser).Where(r => r.ActivityName.Equals(ActivityName, StringComparison.InvariantCultureIgnoreCase)
).Select(r => r).Count() > 0)
{
throw new Exception(string.Format("User is not allowed to perform activity named : {0}", ActivityName));
}
}
#endregion
}
I have a Account controller class. All I need is user can only be registered if he is allowed to perform registration activity. However when i send the request the attribute does not validate any thing . Please let me know am i missing something or what ?
Class decorated With Attribute
public class AccountController : BaseApiController
{
[AuthActivityAttribute(ActivityName = "Register")]
public async Task<IHttpActionResult> Register(RegisterBindingModel model)
{
// do something ...
}
}
for example : we put validation on property like [MaxLength(10)] so it validates that the property must have length less than 10. or Authorize attribute in C#. like only admin can access the specific method. So this is something i need to achieve
[Authorize("Administrator")]
public void DeleteUser()
{
// do something
}
What i want ?
[AuthActivity("DeleteUser")]
public void DeleteUser()
{
// do something
}
If your goal is to let or not the user to perform a task, you don't need to create a custom attribute, you can use Authorize attribute, for each action and specify the Roles which are allowed to execute that action.
Any way, if you want to perform some custom task using a custom attribute, you must use reflection to get the actions which has that attribute and to get the properties of that attribute, something like:
public static class CustomAttrr
{
public static IEnumerable<ActionsWithAuthActivityAttribute> GetItems(Assembly types)
{
var model = from type in types.GetTypes()
from methodInfo in type.GetMethods().Where(x => x.GetCustomAttributes<AuthActivityAttribute>().Any())
from attribute in methodInfo.GetCustomAttributes()
where attribute is AuthActivityAttribute
let a = attribute as AuthActivityAttribute
select new ActionsWithAuthActivityAttribute
{
ActionName = methodInfo.Name,
ActivityName = a.ActivityName,
};
return model.ToList();
}
}
public class AuthActivityAttribute:Attribute
{
public string ActivityName { get; set; }
}
public class ActionsWithAuthActivityAttribute
{
public string ActionName { get; set; }
public string ActivityName { get; set; }
}
Now, you have a list of all actions decorated with your attribute, and you can do what ever you want.
var listAction = CustomAttrr.GetItems(Assembly.GetExecutingAssembly());
var listActionsRegister = listAction.Where(x => x.ActivityName.Equals("Register"));
Now you can check user role versus this list, but like I said, you do not need this custom attribute.
I posted this code only for you to see how to access the custom attribute.
I've found that I have a lot of repeated code in all of my actions, and want to know the best way to avoid this. Say for example that each logged on user belongs to a school and I need to access this SchoolId in almost every action.
They way I have it now almost every action will have a repeated database hit and need to reference my userService class...something like:
public ActionResult Index()
{
var schoolId = userService.GetSchoolId(User.Identity.GetUserId());
var textBooksForSchool = textBookService.GetBooks(schoolId);
...
}
public ActionResult Delete()
{
var schoolId = userService.GetSchoolId(User.Identity.GetUserId());//all over the place
var textBooksForSchool = textBookService.DeleteBooks(schoolId);
...
}
I know that I can add the SchoolId to the claims but the syntax for returning it in every method is quite verbose (as far as I understand this avoids the db hit each time the claim is accessed?):
In GenerateIdentityAsync:
var claims = new Collection<Claim>
{
new Claim("SchoolId", User.SchoolId.ToString())
};
userIdentity.AddClaims(claims);
In Action:
var SchoolId = Convert.ToInt32((User as ClaimsPrincipal).Claims.First(x => x.Type == "SchoolId").Value);
Is there some kind of best practice here? Possibly storing the claim in a global variable on logon?
This is how I am doing...
Base Controller
public class BaseController : Controller
{
public AppUser CurrentUser
{
get
{
return new AppUser(this.User as ClaimsPrincipal);
}
}
}
Claims Principal
public class AppUser : ClaimsPrincipal
{
public AppUser(ClaimsPrincipal principal)
: base(principal)
{
}
public string Name
{
get
{
return this.FindFirst(ClaimTypes.Name).Value;
}
}
public string Email
{
get
{
return this.FindFirst(ClaimTypes.Email).Value;
}
}
}
In the other controller you can access the claim type just by doing
CurrentUser.Email
What about creating your own base controller that all your controllers inherit from that has SchoolId as a property and then creating an ActionFilter that casts each controller as that base controller and sets that value on every request? Then it will be available on all your actions but you only have to write the code once.
It will fire each request, so you might consider other techniques for minimizing the number of times you have to look up the value, but this mechanism is a way to solve your code duplication issue.
I really like the extension method approach:
public static int SchoolId(this IPrincipal principal)
{
return Convert.ToInt32((principal as ClaimsPrincipal).Claims.First(x => x.Type == "SchoolId").Value);
}
Action:
var textBooksForSchool = textBookService.GetBooks(User.SchoolId());
I'm trying to implementing a new permission based access approach for my MVC application; We have several Permission Group and each group contains a list of Permission. for example we have Invoices permission group which contains CreateInvoice,RemoveInvoice,etc permission keys.
In this approach each mvc Action should requires a specific permission for execution. I'm trying to do this through CustomAttributes, something like this :
public class InvoiceController : Controller
{
[RequirePermission(Permissions.Invoices.CreateInvoice)]
public ActionResult Create()
{
return View();
}
}
To make it easier for developers to remember different Permission Groups and Permission Keys I'm trying to create a pre-defined list of permissions that should be a combination of permission group and permission key. but due to restrictions applied to using attributes arguments in C#
I couldn't make it work yet. (I don't want to make an extra large enumurator and put all permission keys in there)
my last try was creating an enumerator for each permission group and then define permission keys as enum constants in there :
public class PermissionEnums
{
[PermissionGroup(PermissionGroupCode.Invoice)]
public enum Invoices
{
CreateInvoice = 1,
UpdateInvoice = 2,
RemoveInvoice = 3,
ManageAttachments = 4
}
[PermissionGroup(PermissionGroupCode.UserAccounts)]
public enum UserAccounts
{
Create = 1,
ChangePassword = 2
}
}
As you can see we have a combination of codes here, the permission group key specified using a PermissionGroup attribute and permission key's code specified as numeral code on each enum constant.
the RequirePermission attribute defined as below :
public class RequirePermissionAttribute : Attribute
{
private Enum _Permission;
public RequirePermissionAttribute(Enum Permission)
: base()
{
_Permission = Permission;
}
}
but the problem is that objects of type Enum could not be used as Attribute Arguments.
Any suggestion/idea is appreciated
I've found the solution, the only thing needs to be changed is type of constructure parameter. instead of using Enum you have to use object :
public class RequirePermissionAttribute : AuthorizeAttribute
{
private object _Permission;
public RequirePermissionAttribute(object Permission)
: base()
{
_Permission = Permission;
}
}
Here is the complete code :
/***************** Permission Groups And Keys *****************/
public static class Permissions
{
[PermissionGroup(PermissionGroupCode.Invoice)]
public enum Invoices
{
CreateInvoice = 1,
UpdateInvoice = 2,
RemoveInvoice = 3,
ManageAttachments = 4
}
[PermissionGroup(PermissionGroupCode.UserAccounts)]
public enum UserAccounts
{
Create = 1,
ChangePassword = 2
}
}
public enum PermissionGroupCode
{
Invoice = 1,
UserAccounts = 2,
Members = 3
}
/***************** Attributes & ActionFilters *****************/
[AttributeUsage(AttributeTargets.Enum)]
public class PermissionGroupAttribute : Attribute
{
private PermissionGroupCode _GroupCode;
public PermissionGroupCode GroupCode
{
get
{
return _GroupCode;
}
}
public PermissionGroupAttribute(PermissionGroupCode GroupCode)
{
_GroupCode = GroupCode;
}
}
public class RequirePermissionAttribute : AuthorizeAttribute
{
private object _RequiredPermission;
public RequirePermissionAttribute(object RequiredPermission)
: base()
{
_RequiredPermission = RequiredPermission;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var permissionGroupMetadata = (PermissionGroupAttribute)_RequiredPermission.GetType().GetCustomAttributes(typeof(PermissionGroupAttribute), false)[0];
var groupCode = permissionGroupMetadata.GroupCode;
var permissionCode = Convert.ToInt32(_RequiredPermission);
return HasPermission(currentUserId, groupCode, permissionCode);
}
}
I don't think thats possible I tried to do your thing and failed :/ sorry.
Permissions on actions should be used with Authorize and you can make your own ovveride writing something like this:
[AttributeUsage(AttributeTargets.All)]
public sealed class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
//Its a piece of code from my app you can modify it to suit your needs or use the base one
if (!new CustomIdentity(httpContext.User.Identity.Name).IsAuthenticated)
{
return false;
}
return true;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
base.HandleUnauthorizedRequest(filterContext);
}
}
then on your action:
[CustomAuthorizeAttribute(Roles = "FE")]
public ActionResult Index()
{
return RedirectToAction("Index", "Documents");
}
however its still a string that you use and for it to work you need to combine it with Custom Role provider. Much hussle but worth it in my opinion.
I recently starded developing for MVC 3 but have experience in both C# and ASP.NET since earlier. So i'll start with what i'm trying to accomplish. I've developed a small site for hosting articles. I've implemented SQLServer based membership managament to the site. Now i want to create a credentials system that restricts and allows the right users to create, delete and update articles. There is one simple solution to this and that is to do it like this:
[Authorize(Roles="Admin")]
public ActionResult UpdateArticle(ArticleModel model, int articleid)
{
return View();
}
Now this is really simple. I simply say that only members that are in the role "Admin" are allowed to update an article. But that's just to static. So i created a credentials table in my database that in the end tells me that "Article 5 can be edited by roles 1,2,3 & 4 and by users A, b & C". So far so good. But how would i implement that with the Authorize solution?
I would like to do something like this:
[Authorize(getAuthorizedusers("update",this.articleid))]
where getAuthorizedusers returns which users and roles are authorized to update the article with the articleid that was passed to it.
So I have (at least) two problems here:
-Getting the Authorize method to accept multiple users and roles.
-Passing the supplied articleid, that was sent to the UpdateArticle method, to the getAuthorizedusers method.
You can create your own custom attribute that inherits from AuthorizeAttribute and override the OnAuthorize method to do what you need.
This should get you started:
public class ArticleAuthorizeAttribute : AuthorizeAttribute
{
public enum ArticleAction
{
Read,
Create,
Update,
Delete
}
public ArticleAction Action { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
//do custom authorizization using Action and getting ArticleID
//from filterContext.HttpContext.Request.QueryString or
//filterContext.HttpContext.Request.Form
}
}
The usage would look like this:
[ArticleAuthorize(Action=ArticleAuthorizeAttribute.ArticleAction.Update)]
Edit: After looking into this a bit more, it looks like you can't pass this.articleID in to the attribute. However, you do have access to the parameters from filterContext.HttpContext.Request through the QueryString property or the Form property, depending on how you are passing the values. I have updated the code sample appropriately.
A more complete example can be found here
To check for authorization using user role and user list you would do something like this:
var allowedUsers = new List<string>();
//populate allowedUsers from DB
If (User.IsInRole("Update") || allowedUsers.Contains(User.Identity.Name))
{
//authorized
}
Alternatively, you can do both checks against the DB directly in a single method to keep from making two calls.
Here's a much easier way to accomplish the same thing:
[Authorize]
public ActionResult UpdateArticle(ArticleModel model, int articleid)
{
// if current user is an article editor
return View();
// else
return View("Error");
}
I got it working as I wanted when I overrode the AuthorizeCore method and authorizes the way I want to.
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
if ((_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) && (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole)))
{
return false;
}
return true;
}