Is there a preferred way of doing fine grained access that can be modified during runtime?
ASP.net membership doesn't seem to support this. I thought of creating constant invisible subroles so that there would be a set of hidden roles like "_CanEditContent" and "_CanDeleteOthersContent". The check would be [Authorize(Roles = SubRoles.CanEditUser)] which would check that the user is in a role that has _CanEditUser role. The problem there is of how to assign roles to other roles so that when we create a new role like "UserAdmin" how could we assign "_CanEditUser" role to that new role? That seems impossible.
What I need to do is to be able to create roles during runtime and add custom permissions for new or existing roles I would do the checks with something like [Authorize] and custom checks for AJAX methods. How would I achieve this?
Indeed, asp.net membership does not support this. You'll have to rollout your own mechanism with your own authorization attributes, which will use information about user (or role) permissions.
You can use asp.net membership for role management, and then assign permissions to roles whichever way you want, for example, database.
Related
I m using Angularjs project and using Asp.net identity custom storage provider with Enterprise library for token authentication.
Implemented custom userstore to create an account.
[Authorize] attribute works well after logged in. i want to restrict the method for particular user.
So tried to implement [Authorize(Roles="Admin,User")].
Here one user can have two roles in practical. But as per the system, when user login, we restrict the user to select the particular role.
So, after validated by asp.net identity, user should select any one of the role.
Here my need is,
I want to maintain the role which he selected (we consider this concept like impersonate user, but not exactly).
Or,
Need to implement in the Authorize attribute itself.
I've seen some of the examples like we can add claim to identity.
But I can add custom claims only inside the method,
GenerateUserIdentityAsync
in my case I need to add claim after log in validated. I've gone through some example and implemented like following.
ClaimsIdentity identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);
identity.AddClaim(new Claim(ClaimTypes.Role, "Test"));
After added claim, when I try to get the claim to check the logged in user role,
List<Claim> claim = claims.Where(c => c.Type == ClaimTypes.Role).ToList();
I didn't get the Role "Test".
Here my bad luck is, in claims, I've all the roles of the user except role = test
How to authorize the user role or maintain logged in here..
I see at least three solutions for your problem:
Use a claim transformation to filter the role claims, to match a role the user choose. You can use a claim transformation middleware or you can filter the claims during login (be aware, that you do not know the user roles BEFORE login, and afterwards filtering might be too late). PRO Does not necessarily need session state; CON User can not choose during runtime.
Store the role in the session and authenticate against that role. Make sure, that you check against the role claims, when the user chooses his role. PRO User might change role without re-sign-in. CON Needs session state (Might be an issue in farm environments).
Don't do it at all and I'm totally serious about that. Provide your user a clean interface, that makes him know, what role he has and use areas and other technics to separate the concerns.
I'm using 2 membership providers on my Umbraco CMS. 1 provider is used for CMS users and the other is to be used for site membership.
I have 2 role providers too - UmbracoRoleProvider & AspNetSqlRoleProvider. How do I access each one in the code? e.g. when a new user registers, I'd like to add a role for them as "member", but it defaults to the Umbraco role provider because that is the default.
I thought I'd be able to do something like this:
Roles.AddUserToRole(EmailAddress.Text, "Member", "AspNetSqlRoleProvider");
Or something similar, but can't find any info on it. Can it be done over a few lines of code, or is it more complex than that?
Thanks
Using multiple role providers is not supported out of the box. You could use the Composite pattern to implement your own role provider that checks both for valid roles and memberships, but I would try to find a way to use a single role provider instead.
I have a set of unauthorized pages that anyone can access (mainly the register page). Once a user is registered with personal info and group info, I want them to be admin, they then can access the authorized pages. On the authorized pages, I have a add member page, which creates a new user and that user inherits the admins group info. These people will be regular users and I don't want them to access the add member page and other select pages.
So whats the best way to set this up? I have an extra table that saves some extra user info for everyone, would I include some type of true/false admin column? ASP.NET configuration? What else?
I have my auth and un-auth pages set up with asp.net config with each set of pages in a different directory.
I'm using membership services, MS SQL, ASP.NET, etc
Sounds like Role Management should be a good solution for this.
The best way to implement this would be to create a role via Membership Services for site Administrators.
You could then easily decorate your Admin only Controller Actions with:
[Authorize(Roles = "Admin")]
Assign the users a role[user] while creating account...
use this this code to restrict non administrative users.
If User.IsInRole("Administrator") Then
Else
End If
I'm building an web application that I want users to have specific permissions to perform a specific action. I don't want to use the default permission and role providers in ASP.NET.
I was thinking of having each User associated with a Role. Each Role is mapped to a set of Permissions (CreatePost, ReadPost, UpdatePost, DeletePost and so on).
I have a couple of questions regarding this. Would it be best to have a boolean property for each Permission on the role or some sort of bitfield? I like the idea of having methods for this but properly need to map these to the permissions stored for the role in the database.
Also, how would I implement this for each action/request? I'm thinking something along the lines of what was posted here but I'm not really sure.
Thanks!
Make your own role provider and register it in the web.config. Look at the MSDN for a sample. Once it is registered it will associate the roles you provide with the principal.
I've just done that for one of my project and it works fine.
To check whether the user has permission to execute a task you'll have to see whether the user is in the required role. In "normal" ASP.NET you will have to do this in code. In MVC you can do that with attributes on each class/method in the controller.
Need to implement Application Role Management feature..
Looked at AZMan , I guess it is bit of a over kill for my application.
Thinking of using XML input , that has multiple hirarchay defining Roles. Given that some roles can participate (like Administrator) in all other (sub) roles.
Any recomondation highly appreciated
If I'm understanding the question correctly, you just need a role implementation that handles hierarchical roles.
One approach might be to implement a custom RoleProvider
If you had your role database setup something like (could also be a hierarchical XML file)
ID Role ParentRoleID
1 Admin null
2 SubAdmin1 1
3 SubAdmin2 1
You could code your custom role provider such that if a user is explicitly assigned the admin role, they are "behind the scenes" given the admin role plus any sub roles. In this example, for a user explicitly assigned the "Admin" role, the GetRolesForUser method would return "Admin, SubAdmin1, SubAdmin2". In this way a call from your code to Roles.IsUserInRole("SubAdmin2") would return true for a user who was only explicitly assigned the "Admin" role.
HTH