ASP.NET Authorize attribute and Admin user role

Question

Using Authorize attribute i may specify roles which is allowed to access the resources.

[Authorize(Roles="User")]

But if i have admin user which is allowed to go to any resource i need specify this one as well

[Authorize(Roles="User, Administrator")]

But may be there is some way i can say somehow that Administrator allowed to go anywhere and not to specify this one in Authorize attribute?

So i mean if somewhere in code(on controller or on action) would be this [Authorize(Roles="User")] it means that Administrator role allowed to go there as well.

Or may be i may set it to all Authorize roles dynamically how when application start?

Any ideas?

UPDATED:

Currently i have one admin controller with Authorize attribute [Authorize(Role="Administrator")] and i have some actions in some another controllers with attributes [Authorize(Role="User")] so i will need to add "Administrator" there as well if i didn't find better solution.

Answer 1

I think this will work for you. Create your own base controller, with the AuthorizeAttribute, then make your other Controllers inherit your base class.

[Authorize(Roles="Admin")]
public class MyFancyController : Controller
{
}

[Authorize(Roles = "TaxPayer")]
public class WizardController : MyFancyController
{
...

This is scary though, in my opinion.

How many controllers/Actions do you have? What if you forget about this later and maybe you have a page you don't want Admins to access?

Will debugging the code become more difficult?

Answer 2

[Authorize(Roles = "User, Admin")]
public class PrestamosController : Controller
{
    // controller details
}

Answer 3

You can create a custom filter and use it to decorate your Actions or Controllers with it. This is a simple structure I've used quite a lot:

public class AuthorizationAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
            filterContext.Result = new HttpUnauthorizedResult();
            return;
        }

        var actionName = filterContext.ActionDescriptor.ActionName; 
        var controllerName = filterContext.Controller.GetType().Name;

        bool isAuthorized =false;

        // Put your logic here !!!!

        if (!isAuthorized)  {
            filterContext.Result = new HttpUnauthorizedResult();        
            return;
        }
    }
}

You can read some more here