Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET MVC Authorize user with many roles

Tags:

c#

security

asp.net

asp.net-mvc

authorization

I need to authorize a Controller in my ASP.NET MVC application to users which have two roles. I am using Authorize attribute like this:

[Authorize(Roles = "Producer, Editor")]

But this allows Producers and Editors to the controller. I want only to allow users having both roles, not just one of them.

How could i achive this?

like image 600
Herno Avatar asked Jul 14 '14 14:07

Herno

2 Answers

As the question states, when multiple roles are given in a single Authorize() call they are applied such that if the user belongs to any of the roles listed they will be granted access; like a logical OR operator.

Alternatively, to achieve the effect of a logical AND operator you can apply the Authorize attribute multiple times. Eg..

[Authorize(Roles = "Producer")]
[Authorize(Roles = "Editor")]
public ActionResult Details(int id) {
    // Only available to users who are Producers AND Editors
}

For the example above, the action body is accessible only to users who belong to the Producer and the Editor roles.

Rudi points out in the comments this lets you create some reasonably complex access rules without needing to implement a custom AuthorizeAttribute. For example, in the code below users can execute the action if they are both: a) in the Enabled role and b) in either the Editor or Admin roles.

[Authorize(Roles = "Enabled")]
[Authorize(Roles = "Editor,Admin")]
public ActionResult Details(int id) {
    // Only available to users who are Enabled AND either an Admin OR an Editor
}

I'm not sure which version brought this in but it works in at least MVC 4 and 5.

like image 186
Molomby Avatar answered Oct 04 '22 04:10

Molomby

You should do your custom AuthorizeAttribute

public class AuthorizeMultipleAttribute : AuthorizeAttribute
{

   //Authorize multiple roles
   public string MultipleRoles { get; set; }

  protected override bool AuthorizeCore(HttpContextBase httpContext)
  {
      var isAuthorized = base.AuthorizeCore(httpContext);
      if (!isAuthorized)
      {                
        return false;
      }

      //Logic here
      //Note: Make a split on MultipleRoles, by ','
      //User is in both roles => return true, else return false
  }

}

DEMO :

[AuthorizeMultiple(MultipleRoles ="Role1,Role2")]
public class UserController{
}
like image 28
Cosmin Avatar answered Oct 04 '22 03:10

Cosmin
Sign in to Comment

Related questions

Does casting create new object?
Caliburn Micro Guard Methods not evaluating on property change
Is VB's Dim the same as C#'s var?
Convert String (UTF-16) to UTF-8 in C#
Regex accent insensitive?
Operator '=' chaining in C# - surely this test should pass?
C# get and set properties for a List Collection
Protocol buffers detect type from raw message
Generating SQL queries safely in C#
DataGridView row's background color is not changing
How do you parse a JSON file using JSON.net
how to draw a line on a image?
Get parent directory of parent directory
Binding multiple ObservableCollections to One ObservableCollection
How to set HTML to clipboard in C#?
What does the SQL Server XML datatype translate to in .NET and how do I convert it to XmlDocument?
How to queue background tasks in ASP.NET Web API
Returning an anonymous type from MVC 4 Web Api fails with a serialization error
Textbox Keydown event not firing when arrow key press
Adding an explicit action route to ASP.NET Web API Controller

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!