Clever Geek Handbook

Role Combinations Authorization

More information can be provided if required, first post here!

I am currently managing a website in asp.net mvc4 with standard role authorization feature (webpages_roles/webpages_usersinroles)

.

This works great with a dot, the results of actions in controllers are formatted with the appropriate tags, for example:

[Authorize(Roles = "Admin")]

or when one of several roles can have access:

[Authorize(Roles = "Admin, Manager")]

What I need to do is authorize multiple roles, the situation "AND"

, and not "OR"

. For example. the user must be in both a role "Manager"

and a role "Finance"

to access the controller. Users with only "Manager"

or only "Finance"

but not both should not have access to the result of the action.

How will this be achieved? The search results show that people are talking about extending the authorize attribute, but if there is specific advice on how to do it, or something more straight forward, that would be very helpful in that case!

Spike's solution worked with minor modification, for each

used var

to create datatype char

, function IsInRole

required astring

Final code:

public class AndAuthorize : AuthorizeAttribute
{

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        IPrincipal user = httpContext.User;

        try
        {
            if (Roles != null && Roles.Any())
            {
                foreach (string r in Roles.Split(','))
                {
                    if (!user.IsInRole(r))
                        return false;
                }
            }
            return true;
        }
        catch (Exception ex)
        {
            return false;
        }

    }
}
+3


source to share


2 answers


Yes, the best way to handle this is by extending the Authorize attribute.

Below is an example of an Authorize class you can implement for "AND" 

public class AndAuthorize : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        try
        {
            if (Roles != null && Roles.Any())
            {
                foreach(var role in Roles){
                if(!httpContext.User.IsInRole(role))
                    return false;
                }
            }
            return true;
        }
        catch (Exception ex)
        {
            return false;
        }
    }
}


Now you need to install [AndAuthorize (Roles = "Admin, Manager")] as extending the authorization class will give you access to the default attributes (Roles and Users).

Then you can use original Authorize for "OR" and this one for "AND" cases

+3


source


I haven't tried it, but should work to test two roles.

Basically, you can apply one attribute to authorize the controller and another to the action method.

[Authorize(Roles = "Manager")] //role1
public class YourController : Controller
{
    [Authorize(Roles = "Finance")] //role2
    public ActionResult Index()
    {
    }
}


If you have different combinations:

[Authorize(Roles = "role1, role2, role3")] 
public class YourController : Controller
{
    [Authorize(Roles = "role4, role5, role6")]  
    public ActionResult Index()
    {
    }
}
+1


source






More articles:


All Articles