Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

user roles and permission in mvc

Tags:

c#

asp.net-mvc

I have a mvc application, where I have different roles of uses, and a role user have different functionality (ex: add, edit, delete,--), and a user in each role will have sub set of this functionality in this role. I want to give permission to each user to view the pages based on this permissions.

What would be the best way to achieve this in mvc?

Thanks

like image 931
Jiju John Avatar asked Mar 25 '15 06:03

Jiju John

1 Answers

In our application we have roles and each role has many functionalities. Our goal was to control access at the functionality level instead of role level using less access to the database as possible.

Here is what we do:

1) At the login, we create an UserCredentials object which contains all functionalities that the user has access (based on its roles). It is a "distinct" of all functionalities contained in all roles the user has access. Then we store this UserCredentials in session.

2) To restrict access to controllers or actions, we have implemented an attribute that inherits AuthorizeAttribute and we use like:

[Secure(Functionalities="Xyz.View,Xyz.Save")]
public ActionResult SomeAction(...){ ... }

Note that there is no database call, all we do is to check that "Xyz.View" is in the functionalities list stored in the UserCredentials.

3) Sometimes we need to access the credentials from inside the action, so we have created another ActionFilter (global) which will inject the credentials in the action parameters for you if he finds a parameter named "credentials", for instance:

public ActionResult SomeAction(UserCredentials credentials, int otherParameters)
{
    // "credentials" is populated by the global action filter  
}

You could use this to show a different view based on the user Roles or Functionalities.

4) Another scenario is when we need to hide portions of our views based on user roles or functionalities. For this, we have created a BaseViewModel which has a UserCredentials property. This property is also populated by another global ActionFilter that runs AFTER the action is executed. If the model inherits BaseViewModel, then the filter populates UserCredentials property. We can do something like:

@if(Model.UserCredentials.IsInRole("X")){
    <div>Some content</div>
}

or 

@if(Model.UserCredentials.HasAccessTo("Xyz.Save")){
    <button>Save</button>
}

I hope it helps.

like image 180
Auresco82 Avatar answered Oct 21 '22 21:10

Auresco82
Sign in to Comment

Related questions

Xamarin FindViewById returns null
Constructor injection (DI) vs. static factories for cross cutting concerns?
Getting an ApiController to work with areas?
Json.Net calls property getter during deserialization of list, resulting in duplicate items
Get Primary Key of DBEntityEntry when Adding
Combinations With Repetitions C#
How to disable appearing of ToolTip text over ToolStripButton?
Async: How to break on exact line of code that has thrown the exception?
.ToShortDateString returning different cultural format than expected
Use "FindResource" from other classes of the application
One or more errors occurred: PostAsJsonAsync
C# - Object Creation
How to delete the file of a PrivateFontCollection.AddFontFile?
Prism EventAggregator difference between PubSubEvent<TPayload> Class and CompositePresentationEvent<TPayload> Class
WPF Fullscreen toggle still showing part of desktop
Detect current keyboard language/layout name in multi-language computer
What does CreateMany with seed do?
How to check if user already exists on client-side in ASP.NET MVC 5?
Ungreedy regex in C#
RabbitMQ 3.5 and Message Priority

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!