Comments on: Custom Authorization With Asp.net MVC

By: bugeo

bugeo — Fri, 25 Jun 2010 15:48:06 +0000

Great!

By: Christian Louboutin

Christian Louboutin — Thu, 10 Jun 2010 13:24:15 +0000

Thank you for sharing I wish I could go somwhere.

By: Alex

Alex — Sat, 22 May 2010 12:46:42 +0000

And how would I need to assign my custom role to a user I add in the controller?

By: Muktadiur Rahman

Muktadiur Rahman — Sun, 18 Apr 2010 04:50:36 +0000

Nice post.thanks

By: Shalin

Shalin — Wed, 11 Nov 2009 19:01:47 +0000

Excellent post.

In addition I was looking for giving filtered access to records based on user’s location. In other words, in my application, users are assigned different locations (branches). I want user from a branch should be able to access records entered by users of that branch only. I have UserLocation and Location table to manage assignment. Could you please guide me for this.

Thank you.

By: Schotime

Schotime — Wed, 16 Sep 2009 20:58:49 +0000

I would set this on login usually.

Thanks

By: Kevin

Kevin — Sun, 06 Sep 2009 17:24:07 +0000

Excellent tutorial. Now I’m a bit confused:

Where/When would you set:
httpContext.Session["role"]?

ThanX in advance.

By: Ahrimaan

Ahrimaan — Wed, 05 Aug 2009 13:20:23 +0000

Hi,
Nice Post.
Now i Understand how the AuthorisazinFlags work.
Im sittin here and mull over a Problem:
I want to use the Authorization Flag but in another Form
Ive got a Detail View example /Report/1

Now a User got more than one Rights
Example : User a Rights 1 -> 1024 , 2 -> 2048
the 1 stands for the view and the 1024 for a Bitmask. I want to mage it as dynamicle as possible.

But i dont know how … Any Ideas ?

By: Nizar

Nizar — Fri, 20 Feb 2009 22:55:04 +0000

Great post! I’ve been looking for how to implement custom authorization of MVC. Really like the idea of how you’re managing the SiteRoles and/or logic. Kinda confusing at first though.

By: Schotime

Schotime — Thu, 19 Feb 2009 05:17:00 +0000

@Rasmus M
I have had a look at this and you can do it.

If you put the [CustomAuthroize] attribute on the controller and [CustomAuthroize(Roles = SiteRoles.Admin)] on the action method then only admin people will be allowed through. If you try to access the page with a SiteRoles.User then you will be sent to the “NotAuth” view. This can easily be changed.

public class CustomAuthorizeAttribute : AuthorizeAttribute
{
// the “new” must be used here because we are overriding the Roles property on the underlying class
public new SiteRoles Roles;

private bool FailedRolesAuth = false;

protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException(“httpContext”);

if (!httpContext.User.Identity.IsAuthenticated)
return false;

string[] users = Users.Split(‘,’);

if (!httpContext.User.Identity.IsAuthenticated)
return false;

if (users.Length > 0 && !users.Contains(StateManager.ContactName, StringComparer.OrdinalIgnoreCase))
return false;

SiteRoles role = (SiteRoles)httpContext.Session["role"];

if (Roles != 0 && (Roles & role) != role)
{
FailedRolesAuth = true;
return false;
}

return true;
}

public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (FailedRolesAuth)
{
filterContext.Result = new ViewResult { ViewName = “NotAuth” };
}
}
}

This will redirect you to the “NotAuth” view if you fail the role logic.