ASP.NET MVC Security: How to Check if the Controller Method is Allowed with Current User Permissions

Question

ASP.NET MVC Security: How to Check if the Controller Method is Allowed with Current User Permissions

Given the class declaration of the ASP.NET MVC controller class:

public class ItemController : Controller { public ActionResult Index() { // ... } public ActionResult Details() { // ... } [Authorize(Roles="Admin, Editor")] public ActionResult Edit() { // ... } [Authorize(Roles="Admin")] public ActionResult Delete() { // .. } }

I need to reflect a list of methods in this class that can be called with current user permissions.

Please share some ideas on what can be done in this case.

+4

reflection security asp.net-mvc permissions

Gart May 05 '10 at 11:08

source share

1 answer

Paul · Accepted Answer · 2010-05-05T12:42:39+0000

Ok for a new question, think of something like:

 new ReflectedControllerDescriptor(typeof(ItemController)).GetCanonicalActions()

can be used to return a list of all available actions. I don’t have ASP.NET MVC for me at work, so I can’t check if the parameter returned by the ActionDescriptor returns any parameter that says which members can execute them.

http://msdn.microsoft.com/en-us/library/system.web.mvc.actiondescriptor_members%28v=VS.90%29.aspx

These are members of ActionDescriptor, you can find something there. I will see tonight, if I can understand it, it made me intrigue.

There is no universal user login / authentication system for all applications, so it is impossible to create a universal solution. You can create your own user login and authorization classes, which then add their own annotations to the methods, but they will have the same restrictions as in the asp.net mvc system, only for your login / authorization system (or someone who extends this system).

ASP.NET MVC Security: How to Check if the Controller Method is Allowed with Current User Permissions

More articles: