I need to enable my admin user to change access permissions for users on the fly, such that they can create new Roles and add permissions to those Roles.
I want to be able to create an Authorize attribute to stick above my controller class that I can add roles to from a database, so that I don’t have to ‘set’ the roles during development, as in [Authorize(Roles="Role1, Role2")] etc.
So something like [Authorize(Roles = GetListOfRoles()]
I found this question – ASP.NET MVC Authorize user with many roles which does something similar but maybe there’s a way to change this such that it gets a list of permissions/roles from the db?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
This is how I pulled off an attribute that could authorize users per method based on the permissions of the role of that user. I hope this helps somebody else:
/// <summary>
/// Custom authorization attribute for setting per-method accessibility
/// </summary>
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class SetPermissionsAttribute : AuthorizeAttribute
{
/// <summary>
/// The name of each action that must be permissible for this method, separated by a comma.
/// </summary>
public string Permissions { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
SalesDBContext db = new SalesDBContext();
UserManager<ApplicationUser> userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
ApplicationDbContext dbu = new ApplicationDbContext();
bool isUserAuthorized = base.AuthorizeCore(httpContext);
string[] permissions = Permissions.Split(',').ToArray();
IEnumerable<string> perms = permissions.Intersect(db.Permissions.Select(p => p.ActionName));
List<IdentityRole> roles = new List<IdentityRole>();
if (perms.Count() > 0)
{
foreach (var item in perms)
{
var currentUserId = httpContext.User.Identity.GetUserId();
var relatedPermisssionRole = dbu.Roles.Find(db.Permissions.Single(p => p.ActionName == item).RoleId).Name;
if (userManager.IsInRole(currentUserId, relatedPermisssionRole))
{
return true;
}
}
}
return false;
}
}
Method 2
What about something like this:
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class MyCustomAuthorizationAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
// Do some logic here to pull authorised roles from backing store (AppSettings, MSSQL, MySQL, MongoDB etc)
...
// Check that the user belongs to one or more of these roles
bool isUserAuthorized = ....;
if(isUserAuthorized)
return true;
return base.AuthorizeCore(httpContext);
}
}
You could use it with a database, or simply maintain a list of authorized roles in the web.config.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0