I have my ASP.NET MVC 4 project and database (SQL Server 2008)
And I've created an entity framework model, with auto-generated models.
And in the database there is a table called Roles (2 fields, Id and name)
There are 3 roles: admin, moderator, user.
Plus Account controller:
public class AccountController : Controller
{
private korovin_idzEntities db = new korovin_idzEntities();
//
// GET: /Account/LogOn
public ActionResult LogOn()
{
return View();
}
//
// POST: /Account/LogOn
[HttpPost]
public ActionResult LogOn(LogOnModel model/*, string returnUrl*/)
{
if (ModelState.IsValid)
{
var user = db.Users.Where(x => x.username == model.UserName && x.password == model.Password).FirstOrDefault();
if (user != null)
{
user.isRemember = model.RememberMe;
db.SaveChanges();
ViewBag.UserName = model.UserName;
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
FormsAuthentication.RedirectFromLoginPage(model.UserName, false);
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
return View(model);
}
}
Where and how can i initialize roles in my asp.net mvc application? I've tried to check whether role exists and to initialize role by rolemanager in account controller, but i think it's not a good solution.
Is it possible to initialize roles in global.asax.cs?
I know that I should attach roles to user in log on function.
Thanks in advance :)
Here is my solution, I thought that there is some kind of a structure for storing a names of roles and there is needed to initialize this structure, but i was wrong, and after googling, I've found the solution:
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
var context = HttpContext.Current;
if (context.Request.IsAuthenticated)
{
string[] roles = LookupRolesForUser(context.User.Identity.Name);
var newUser = new GenericPrincipal(context.User.Identity, roles);
context.User = Thread.CurrentPrincipal = newUser;
}
}
#region helper
private string[] LookupRolesForUser(string userName)
{
string[] roles = new string[1];
CosmosMusic.Models.korovin_idzEntities db = new CosmosMusic.Models.korovin_idzEntities();
var roleId = db.Users.Where(x => x.username == userName).FirstOrDefault().id_role;
roles[0] = db.Role.Where(y => y.id_role == roleId).FirstOrDefault().name;
return roles;
}
#endregion
Related
I am new to ASP.NET MVC and am trying to create a web app.
The problem I have is that in the controller class I need to get the UserID of the current user, but I am very confused about how one would do that.
Also, it seems that the user is not authenticated after logging in, because if I use the [Authorize] annotation it throws an HTTP Error 401.0 - Unauthorized error.
This is my Authentication.cs class:
public static class Authentication
{
public static bool CreateNewTicket(User user, bool rememberMe)
{
try
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
user.Email,
DateTime.Now,
DateTime.Now.AddDays(5),
rememberMe,
user.ID.ToString(),
FormsAuthentication.FormsCookiePath
);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.HttpOnly = true;
if (!HttpContext.Current.Request.IsLocal)
cookie.Secure = true;
HttpContext.Current.Response.Cookies.Add(cookie);
return true;
}
catch
{
return false;
}
}
public static bool AuthUser(string Email, string Password)
{
using (var db = new AntContext())
{
string password = Password;
string email = Email;
string hashedPW = GetHash(password);
bool userValid = db.Users.Any(user => user.Email == email && user.Password == hashedPW);
if (userValid)
{
var actUser = db.Users.FirstOrDefault(u => u.Email == Email && u.Password == hashedPW);
if (!actUser.IsLocked)
{
if (CreateNewTicket(actUser, false))
{
return true;
}
else
{
return false;
}
}
else if (actUser.IsLocked)
{
}
}
return false;
}
}
The actual problem happens when I try to store data in a database.
[HttpPost]
public ActionResult Q_FirstPage(ViewModels.Q1_Answer_VM vm)
{
vm.Qst = new Models.Questionnaire();
vm.Qst.NumericAnswers = new List<Models.NumericAnswer>();
vm.Qst.TextAnswers = new List<Models.TextAnswer>();
vm.Qst.IsComplete = false;
vm.Qst.StartedOn = DateTime.Now;
vm.Qst.NumericAnswers.Add(vm.Breite);
vm.Qst.NumericAnswers.Add(vm.Tiefe);
vm.Qst.NumericAnswers.Add(vm.Hoehe);
vm.Qst.TextAnswers.Add(vm.Sonstiges);
//vm.qst.User_ID = 22; if I set the User ID manually, it works
db.Questionnaires.Add(vm.Qst);
db.SaveChanges();
return View();
}
The Viewmodel works fine and returns the data input, but the UserID is null. The data table "Questionnaire" uses the UserID as a foreign key, which makes it throw an error when it comes to the savedata() part because I guess it expects the correct UserID. So I guess I need to get the current UserID, pass it to the instantiated object which is then passed to the data context and then saved into the database.
Unfortunately, I find it very hard to find complete information about how user authentication works in ASP.NET.
If you need more information, please let me know.
This is my Login method:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(Login_VM login_vm)
{
if (!ModelState.IsValid)
{
return View(login_vm);
}
if (Authentication.AuthUser(login_vm.Email, login_vm.Password) == true && (login_vm.Email != null || login_vm.Password != null))
{
Classes.Authentication.CreateNewTicket(login_vm.usr, true);
return RedirectToAction("Login");
}
else
return View("~/Views/Home/Index.cshtml");
}
And this is my registration method:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult AddUser(User model)
// add new User to db
{
if (ModelState.IsValid)
{
User usr = new Models.User();
usr = model;
model.Password = Authentication.GetHash(model.Password);
db.Users.Add(model);
db.SaveChanges();
}
return View();
}
Solved the problem by following this link: howto get the user id from a FormsAuthentication page in asp.net MVC? posted by https://stackoverflow.com/users/2516718/derloopkat
The System.Web.HttpContext.Current.User.Identity.Name Function returns the "name" attribute in the Authentication Ticket, which in my case was the email address. I then got the User ID by having a query to the Users database.
db.Users.Where(x => x.Email == System.Web.HttpContext.Current.User.Identity.Name).FirstOrDefault().ID;
Thanks for everybody's help.
Update in 2020: The query can be simplified to:
db.Users.FirstOrDefault(x => x.Email == System.Web.HttpContext.Current.User.Identity.Name).ID;
There are two simple ways to get current user in MVC 5.
If you are inside the controller class,the current user can be fetched as follows,
string userId = User.Identity.GetUserId();
Do not forget to add namespace:
using Microsoft.AspNet.Identity;
Other scenario could be that you are not inside the controller class and want to fetch the user information. You can fetch that using HttpContext class.
HttpContext.Current.User.Identity.GetUserId();
I use IIdentity interface For Getting current userid and username.
so implement following Method:
private static IIdentity GetIdentity()
{
if (HttpContext.Current != null && HttpContext.Current.User != null)
{
return HttpContext.Current.User.Identity;
}
return ClaimsPrincipal.Current != null ? ClaimsPrincipal.Current.Identity : null;
}
And Add this code: _.For<IIdentity>().Use(() => GetIdentity()); in my IoC Container[structuremap].
Usage
this._identity.GetUserId();
this._identity.GetUserName();
this._identity.IsAuthenticated
Now I Want to Implement GetEmailAdress Method, How To do this?
Example
this._identity.GetEmailAdress();
When use this._identity.GetUserName(); do not get username form database.
You could do something on these lines:
public static class IdentityExtensions
{
public static string GetEmailAdress(this IIdentity identity)
{
var userId = identity.GetUserId();
using (var context = new DbContext())
{
var user = context.Users.FirstOrDefault(u => u.Id == userId);
return user.Email;
}
}
}
and then you will be able to access it like:
this._identity.GetEmailAdress();
You can get the current user in ASP.NET Identity as shown below:
ApplicationUser user = System.Web.HttpContext.Current.GetOwinContext()
.GetUserManager<ApplicationUserManager>()
.FindById(System.Web.HttpContext.Current.User.Identity.GetUserId());
//If you use int instead of string for primary key, use this:
ApplicationUser user = System.Web.HttpContext.Current.GetOwinContext()
.GetUserManager<ApplicationUserManager>()
.FindById(Convert.ToInt32(System.Web.HttpContext.Current.User.Identity.GetUserId()));
For getting custom properties from `AspNetUsers` table:
ApplicationUser user = UserManager.FindByName(userName);
string mail= user.Email;
Home Controler
[AllowAnonymous]
public ActionResult GetUserEmail()
{
try
{
var userID = User.Identity.GetUserId();
ViewBag.EmailData = db.AspNetUsers.Where(s => s.Id == userID).Select(x => x.Email).FirstOrDefault().ToString();
return Content(ViewBag.EmailData);
}
catch
{
return null;
}
}
And in View
#{
string USREmail = Html.Action("GetUserEmail", "Home").ToString();
}
You Can Show Email
#USREmail
I am using MVC form base custom authentication using SQL database. I've Column with CustomerRole name.
I am checking Authorization as per following:
TestController.CS
[Authorize]
public ActionResult Index()
{
return View();
}
[Authorize(Roles="admin")]
public ActionResult AdminPage()
{
return View();
}
AccountController.cs
[HttpPost]
public ActionResult Login(UserModel model, string returnUrl)
{
// Lets first check if the Model is valid or not
if (ModelState.IsValid)
{
using (userDbEntities entities = new userDbEntities())
{
string username = model.username;
string password = model.password;
// Now if our password was enctypted or hashed we would have done the
// same operation on the user entered password here, But for now
// since the password is in plain text lets just authenticate directly
bool userValid = entities.Tbl_UserMast.Any(user => user.UserName == username && user.UserPassword == password);
// User found in the database
if (userValid)
{
FormsAuthentication.SetAuthCookie(username, false);
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
&& !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
So when I go AdminPage Action. It shows me I am not Authorized.
If I change my column name as Roles, it is working. But I am not allowed to change column name. Is there any other alternative, where I can use Authorization with same column name
You should Try Custom Authentication Filer
Try this:
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
if (FormsAuthentication.CookiesSupported == true)
{
if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
{
try
{
//let us take out the username now
string username = FormsAuthentication.Decrypt(Request.Cookies[FormsAuthentication.FormsCookieName].Value).Name;
string roles = string.Empty;
using (userDbEntities entities = new userDbEntities())
{
var user = entities.Users.SingleOrDefault(u => u.username == UserName);
roles = user.UserRole;
}
//let us extract the roles from our own custom cookie
//Let us set the Pricipal with our user specific details
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(
new System.Security.Principal.GenericIdentity(username, "Forms"), roles.Split(';'));
}
catch (Exception)
{
//somehting went wrong
}
}
}
}
I'm working on an intranet, so far I have switched from Windows authentication to Form authentication and I'm able to connect / register etc.
But here's what I'm expected to do : Instead of being able to create and account through the usual forms route, I wish to link the list of employees (that has many parameters, such as Login, Password, Name etc.) and be able to create a new user when I create a new Employee.
Here is my Employee creation controller :
public ActionResult Create()
{
ViewBag.CompanyList = _service.ListCompany();
ViewBag.SupervisorList = _service.ListSupervisor();
return View();
}
//
// POST: /Employee/Create
[HttpPost]
public ActionResult Create([Bind(Exclude = "Id")] Employee objEmployee, FormCollection form)
{
ViewBag.CompanyList = _service.ListCompany();
ViewBag.SupervisorList = _service.ListSupervisor();
objEmployee.CreatedDate = System.DateTime.Now;
objEmployee.UpdatedDate = System.DateTime.Now;
objEmployee.CompanyId = int.Parse(form["CompanyId"]);
objEmployee.Supervisor = form["Supervisor"];
if (_service.Create(objEmployee))
return new RedirectResult(Url.Action("Index"));
else
{
if (!_service.Validate(objEmployee))
return View();
else
return new RedirectResult(Url.Action("Index", "Error", new { Message = "Error Create Employee", NextPage = CRAWebSiteMVC.Properties.Resources.Employee + #"/" + CRAWebSiteMVC.Properties.Resources.Create }));
}
}
And here's the usual way I create an account via the normal form auth. registering :
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Register(RegisterModel model)
{
if (ModelState.IsValid)
{
// Attempt to register the user
try
{
WebSecurity.CreateUserAndAccount(model.UserName, model.Password);
WebSecurity.Login(model.UserName, model.Password);
return RedirectToAction("Index", "Home");
}
[...]
}
// If we got this far, something failed, redisplay form
return View(model);
}
How may I create an account via the Employee creation panel and basically replace the usual user list by the employee list?
Now Usually the context, is automatically declared as db <- in the controllers.
it is Declared as
private ApplicationDbContext db = new ApplicationDbContext();
But in this Case in my example it says. context so just Change context to db if ApplicationDbContext is declared.
The bottom is an Example of Creating a User class and an Employee class at the same time. So inserting a record to the User While having a reference to the Employee class. But I guess you get that by now.
Notice that, I didn't add an encryption to the password. Cause that is a whole new topic of question.
var userStore = new UserStore<ApplicationUser>(context);
var userManager = new UserManager<ApplicationUser>(userStore);
if (!context.Users.Any(t => t.UserName == "admin#Konek.com"))
{
var user = new ApplicationUser { UserName = "admin#Konek.com", Email = "admin#Konek.com" };
userManager.Create(user, "Password1!");
context.Roles.AddOrUpdate(r => r.Name, new IdentityRole { Name = "Admin" });
context.Roles.AddOrUpdate(r => r.Name, new IdentityRole { Name = "Receptionist" });
context.Roles.AddOrUpdate(r => r.Name, new IdentityRole { Name = "Security" });
context.SaveChanges();
userManager.AddToRole(user.Id, "Admin");
Employee admingEmployee = new Employee
{
Age=25,
Citizenship="Filipino",
CivilStatus=CivilStatus.Single,
DateOfBirth=DateTime.Now,
EmailAddress="admin#Konek.com",
FirstName="Admin",
Gender=Gender.Male,
HomeAddress="None",
LandLine="531-5555",
LastName="Administrator",
MiddleName="admin",
MobileNumber="09275225222",
Photo = "*******",
PlaceofBirth="*****",
Password = "********",
Role=Role.Admin
};
context.Employees.Add(admingEmployee);
context.SaveChanges();
This is the code I used for membership in Global.asax
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
if (FormsAuthentication.CookiesSupported == true)
{
if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
{
try
{
//let us take out the username now
string username = FormsAuthentication.Decrypt(Request.Cookies[FormsAuthentication.FormsCookieName].Value).Name;
string roles = string.Empty;
IUserService _userService= new UserService();
UserViewModel user = _userService.SelectUserByUserName(username).UserList.FirstOrDefault();
roles = user.role;
//let us extract the roles from our own custom cookie
//Let us set the Pricipal with our user specific details
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(
new System.Security.Principal.GenericIdentity(username, "Forms"), roles.Split(','));
}
catch (Exception)
{
//somehting went wrong
}
}
}
}
I'm trying to redirect the user for different view if his Role is "Manager",this is what I tried to get the user roles in the controller but It returns an empty list :
[Authorize(Roles = "admin, manager")]
public ActionResult Index()
{
string[] rolesArray;
rolesArray = Roles.GetAllRoles();// returns an empty array
foreach(var item in rolesArray){
if(item == "manager"){
return RedirectToAction("index", "Manager");
}
}
return View();
}
You should be able to call .IsInRole()
if (User.IsInRole("manager"))
{
return RedirectToAction("index", "Manager");
}