All geek questions in one place

Providing a dynamic role in asp.net mvc (Roles are not fixed. Updates are ongoing)

I know of a simple role provider in which, if I need to limit a specific action, I just need to write Authorize (Roles = "Admin") or I need to limit a certain part of the view to write @if (User. IsInRole ("Administrator")) .

But my question is, if my roles are not fixed and stored in the database, and my super-administrator can edit and delete them.

My requirement is that superadmin can add, update, delete roles, as well as create different users and support the roles of these users.

I did a lot of searches and found something as follows

[AttributeUsage (AttributeTargets.Method|AttributeTargets.Class,Inherited = true,AllowMultiple=true) ] public class CustomRole : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase context) { Respository db = new Respository(); if (db.UserMasters.Where(x => x.user_name == context.User.Identity.Name).Count() > 0) { return true; } else { return false; } } }

Here I can use this code to authorize an action method as follows

  [CustomRole] public ActionResult Details(int id = 0) { Employee employee = db.Employees.Find(id); if (employee == null) { return HttpNotFound(); } return View(employee); }

Here my action method is protected, but what if I want to protect part of the view with this user-defined method. How to use this functionality to achieve functionality as User.IsInRole ("Admin")?

+6
source share
3 answers

Completely answering your question may be out of scope for StackOverflow, since basically it will require writing most applications for you, but here's a general idea.

Write a helper class like this:

 public class ModuleHelper { public static bool UserCanAccessModule(string moduleIdentifier) { bool canAccess = false; /* Call into your service with current User.Name and module identifier (integer, GUID, whatever). Return result of whether user has the required role for the specified module */ try { canAccess = service.CanUserAccessModule(User.Identity.Name, moduleIdentifier); } catch { // catching all exceptions, since this is a UI helper } return canAccess; } // etcetera... }

I would suggest wrapping it in the root namespace of your application; otherwise, add a link to this class namespace in the system.web.webPages.razor web.config section in the Views folder. Then you can do something like:

 <div class="col-sm-3 col-md-2 sidebar"> @if (ModuleHelper.UserCanAccessModule("moduleXYZ")) { @Html.Action("moduleXYZ") } </div>

This obviously involves a lot, but the idea is not new or all that is difficult in practice. The maintenance logic is relatively simple:

  • User Search
  • See "action" or "module"
  • Look at the intersection (if any) between the assigned roles.

No intersections means that the user does not have the required role.

+4
source

Your requirement will be in 3 steps

1- Create all roles by default, save them in database.ie- roleid, rolename 2- When creating a new userid map userid using roleid. 3- also create one table for all permissions that you must give. 4- make a separate ui for the administrator to change the roles of each user. the database will look like this. enter image description here

and ui will be like that.

enter image description here

try this yousrelf ..

+4
source

Tieson T. already has an excellent answer to your question, so I suggest an alternative method if you want all your authorization steps to be all in controllers.

Consider dividing the various aspects (or limited parts) of your main view into a partial view (or views) that perform limited functionality. Then instead of using: @Html.RenderPartial("ViewName", Model) you can configure your partial elements to return from controller actions decorated with the ChildActionOnly attribute using the RenderAction Html Helper.

For instance:

 <div class="col-sm-3 col-md-2 sidebar"> @Html.RenderAction("RestrictedContent") </div>

Then in the controller class

 public class RestrictedController : Controller { public RestrictedController() : base() { } [ChildActionOnly()] [CustomRole()] public ActionResult RestrictedContent() { return PartialView("RestrictedPartial"); } // end action RestrictedContent } // end class

The only consideration in this approach will be in your user attribute for polling the IsChildAction property to avoid rendering a redirect or what your attribute does in case the user is not logged in, since you probably want to just not do something.

Example (in your custom attribute class):

 public override void OnAuthorization(AuthorizationContext filterContext) { if(filterContext.IsChildAction) { filterContext.Result = new EmptyResult(); // return an empty result instead of performing a redirect. } else { base.OnAuthorization(filterContext); // continue with custom authorization if it is not a child action } // end if/else } // end method OnAuthorization

Phil Haack has an article describing the use of the RenderAction method here: http://haacked.com/archive/2009/11/18/aspnetmvc2-render-action.aspx/

Also see here for an interesting discussion of the differences between Action and RenderAction . Difference between Html.Action and Html.RenderAction

+1
source

Source: https://habr.com/ru/post/970156/

More articles:


All Articles