My ASP.NET application allows users to login and access certain information from the website. These users are basically belonging to multiple roles e.g: I have roles like "Administrators", "Power Users" and "Guests". The users are allowed to modify or view data on the .aspx page as per their roles. I read through about Role Management in ASP.NET on MSN. What I could figure out is that the pages related to each role are sorted into a separate folder, i.e I need to have sub folders like "Administrators", "Power Users" and "Guests". So when a user logs in he is redirected to the pages in the role he belongs to. Am I right?
Here the drawback is that if I need to make some changes to the Administrator folder, I will as well need to make the same changes to other folders.
This would make it very cumbersome and difficult to track sometimes. Is there some other way we can do this?
Thanks & Regards,
Sarin Gopalan
Well you can manage it by separating user specific functionality into specific controller i.e. AdminController, UserController.
You can extract out functions that are not user specific into a common controller and access directly from there.
Additionally Authorize attribute can be applied on controller or even on method. It will allow you to have a fine grained control over who can access a method in a controller.
[Authorize(Roles = "ADMIN, Sales Admin")]
Related
I have an ASP.NET MVC API that serves both regular users and admin users. Admin users can do everything regular users can do plus additional functionality.
The HttpContext of requests stores user info which indicates the role of a user. Some endpoints are for use by admin users only. All other endpoints are accessible by all users. Currently, a single controller is being used for both types of user with permissions being used to restrict access accordingly.
However, I'm unsure if this is a good approach because a permission could mistakenly be assigned to the wrong role, or a developer may check the wrong permission for a new endpoint that should be for admin users only.
So, I'm considering two solutions to separate the concerns:
Add a Boolean attribute (e.g., IsAdminUseOnly) to the endpoints. This seems like a quick decision, but would cause code pollution as every endpoint that is for admin use would require true to be specified in the endpoint decorator.
Create a subclass "admin" controller that derives from the regular user controller (in a similar way to described in this question). The parent and child controllers would effectively each have a different Route (e.g., MyController and MyAdminController). The child (admin) controller would inherit all endpoints from the parent controller. Of course, role access would be specified in the child controller as described in this answer using [Authorize(Roles = RolesConvention.Administrator)] for example.
Would either of the above be a suitable solution for this problem, or are there other more suitable methods to achieve the SoC described above?
I have two sections to my site, one is the front end customer portal which serves as a storefront. The other is where merchants can edit their wares, prices and the look of their store page in the storefront.
The former can be accessed by anyone, anonymous user or customer accounts, but the latter should only be accessible by merchant accounts that are logged in. If someone attempts to use a link to access parts of the merchant site without being logged in as a merchant, they should be redirected to the merchant log in.
I have a few lines I can put at the top of every Action like this:
if (!(User.Identity.IsAuthenticated
&& User.IsInRole(VendorsController.Role)))
return RedirectToAction("Login", "Vendors");
But adding that to the beginning of each action feels like it's bad practice. I've also seen a few posts about modifying the web.config but I think that's for an earlier version of MVC.
Is there a way to create an event listener that interrupts an action call to redirect to login, if the user isn't logged in as the right user type? Or will I have to add this line of code to each action?
I'd use AuthenticationFilter where you create custom AuthenticationFilter and then apply it to Controllers or Actions as per your need
I recently starting trying to use the ASP.NET 4 Membership and Role providers in my web applications. But I'm having problems implementing a good security methodology.
I understand that using web.config files we can grany or deny access to certain aspx files, but is there any good built in way to deny access to a specified Role on certain circumstances?
For example;
We have a page called "EditUser.aspx".
We have two user types; administrators and a standard users. This page is used to edit both types. However, only administrators should be able to edit other administrators.
What is the best approach to stop an authenticated user without the 'admin' role from being able to edit an administrator via EditUser.aspx?
I'm hoping for something a bit more elegant than the below:
if(editUser.IsInRole("admin") && !User.IsInRole("admin"))
{
Respone.Redirect("SomeAccessDeniedPage.aspx");
}
Thanks,
Phil
One thing to consider is to use the LoginView server control with the RoleGroups element. Maybe bind the admin users in a separate gridview and wrap that in a LoginView set to only display to users in the admin role.
I have a set of unauthorized pages that anyone can access (mainly the register page). Once a user is registered with personal info and group info, I want them to be admin, they then can access the authorized pages. On the authorized pages, I have a add member page, which creates a new user and that user inherits the admins group info. These people will be regular users and I don't want them to access the add member page and other select pages.
So whats the best way to set this up? I have an extra table that saves some extra user info for everyone, would I include some type of true/false admin column? ASP.NET configuration? What else?
I have my auth and un-auth pages set up with asp.net config with each set of pages in a different directory.
I'm using membership services, MS SQL, ASP.NET, etc
Sounds like Role Management should be a good solution for this.
The best way to implement this would be to create a role via Membership Services for site Administrators.
You could then easily decorate your Admin only Controller Actions with:
[Authorize(Roles = "Admin")]
Assign the users a role[user] while creating account...
use this this code to restrict non administrative users.
If User.IsInRole("Administrator") Then
Else
End If
I'm building an web application that I want users to have specific permissions to perform a specific action. I don't want to use the default permission and role providers in ASP.NET.
I was thinking of having each User associated with a Role. Each Role is mapped to a set of Permissions (CreatePost, ReadPost, UpdatePost, DeletePost and so on).
I have a couple of questions regarding this. Would it be best to have a boolean property for each Permission on the role or some sort of bitfield? I like the idea of having methods for this but properly need to map these to the permissions stored for the role in the database.
Also, how would I implement this for each action/request? I'm thinking something along the lines of what was posted here but I'm not really sure.
Thanks!
Make your own role provider and register it in the web.config. Look at the MSDN for a sample. Once it is registered it will associate the roles you provide with the principal.
I've just done that for one of my project and it works fine.
To check whether the user has permission to execute a task you'll have to see whether the user is in the required role. In "normal" ASP.NET you will have to do this in code. In MVC you can do that with attributes on each class/method in the controller.