MVC C # preventing regular users from accessing admin control url - no roles
Right now, my user table has a bool called Admin. As the code shows, if user.admin = true, the user can see and access the admin area button.
@if (Common.UsuarioLogueado.Admin) {
<li><a href="@Url.Action("List","ClientesAdmin",new { Area = "Admin" })">Admin control panel</a></li>
}
This works as intended. However, users who are not administrators can still go to the control panel, referring to the url No http: // localhost / appName / admin / ClientesAdmin / list
How can I prevent such a thing? I was thinking about showing msg error
source to share
Following other answers about using Roles
and AuthorizeAttribute
.. which in my opinion is the best way to achieve what you are trying to do, there is another way.
You can simply redirect the user to another page. Prefer an error page that says you don't have access to the requested page, or just the 401 page that will be AuthorizeAttribute
if you're not logged in.
Alternative solution
public class ClientesAdmin : Controller {
// [Authorize(Roles="Admin")] could do it this way
public ActionResult List() {
// or..
if(!Common.UsuarioLogueado.Admin)
{
return new HttpStatusCodeResult(401);
// or
// return View("Error") // usually there is an 'Error' view the Shared folder
}
return View();
}
}
This is not the best solution, but I don't know how far your project is going, but just an alternative solution.
source to share
This is how I do it. However, your membership system must be using ASP.Net Roles for it to work properly.
In your controller, you just add the data annotation Authorize
. for the function to be accessed by the client, they must be registered and have the roll specified in the function.
This solution may not be direct cut and paste, but you can see the basic usage and then maybe do a little more research on the functionality Authorize
.
public class MyController : Controller {
[Authorize(Roles="Admin")]
public ActionResult AdminIndex() {
return View();
}
[Authorize(Roles = "basic")]
public ActionResult BasicUsersIndex() {
return View();
}
}
source to share
Ideally, you should use role-based access control. By restricting access to a role rather than a boolean value in a table, you can decorate your CientesAdmin controller with an authorization attribute as shown below.
[Authorize(Roles = "Admin")]
public class CientesAdminController : Controller
{
}
You can also use the Razor Helpers to check if the user IsInRole ("Administrator") is present.
There is a lot of help online to guide you along this path, but if your application is already developed, you probably want to make your own changes. Then the recommendation would be to create your own AuthoriseAttribue. Something like.
public class RestrictAccessToAdmins : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
//Do the default Authorise Logic (Check if user is loggedin)
base.AuthorizeCore(httpContext);
if (httpContext.User.IsInRole("Admin")) return true;
var id = httpContext.User.Identity.GetUserId();
using (ApplicationDbContext context = new ApplicationDbContext())
{
//Implement you own DB logic here returning a true or false.
return context.Common.First(u => u.userid == id).UsuarioLogueado.Admin;
}
}
}
To use an attribute, you must do the following.
[RestrictAccessToAdmins]
public class CientesAdminController : Controller
{
}
Then over time, with a better understanding of the default authorization attribute and a little refactoring, you can easily change the attribute below :)
[RestrictAccessToAdmins(Roles = "Admin")]
public class CientesAdminController : Controller
{
}
source to share