Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why would I hard-code user permissions in my controller attributes?

Tags:

c#

security

asp.net-mvc

role-based

I have seen example code that looks like this, which seems perfectly reasonable:

[Authorize(Roles = "Admin, User")] 
public class SomeController : Controller

But I have also seen several examples that look like this:

[Authorize(Users = "Charles, Linus")] 
public class SomeController : Controller

Why would I ever want to do this? I can't imagine any scenario where I would want to build a system that knows its user names in advance.

like image 237
Robert Harvey Avatar asked Feb 16 '10 15:02

Robert Harvey

3 Answers

There are a few legitimate uses of this, and here's one example: If you're building a really simple site, that simply has an admin account and an unauthenticated account, you could do

[Authorize(Users = "Admin")]

This saves you the trouble of bothering to construct roles just for a single user. Think UNIX style, where the root account (uid 0) is special rather than a particular group.

Another example is simply a throw-away application, where you're testing something. There's no reason to bother with roles if you just want to test your authentication page or something like that.

One more reason: testing. You could build a unit test just for your authentication without wanting to unit test your role based framework. (Keep in mind, not everyone is using the default membership provider, and some membership providers are pretty sophisticated.) By creating a hard coded authentication for a test user, you can bypass the roles framework.

like image 98
David Pfeffer Avatar answered Oct 19 '22 22:10

David Pfeffer

You wouldn't, hardcoding users is a bad smell. Roles exist for things like that.

Edit: I believe that, like when .net 1.0 hit with the whole web.config with allow/deny permissions, those are (or atleast SHOULD ONLY be) used as example sauce, even tho I'm into the pile of people that believe that blogs, tutorials and samples should only use good practices.

like image 41
Francisco Aquino Avatar answered Oct 19 '22 22:10

Francisco Aquino

The only "legitimate" reason to do that I can think of is building a back-door - either for nefarious, or for "future maintenance" purpose. The latter is Bad Juju as it introduces security risk. The former is Bad Juju as well of course :)

like image 41
DVK Avatar answered Oct 19 '22 22:10

DVK
Sign in to Comment

Related questions

Are there any alternative scaffolding frameworks to Asp.Net Dynamic Data?
Is there an official XML Schema (xsd) for EDI X12 856?
Routing Key events to other control
Compare two xml and print the difference using LINQ
Using a previously generated RSA public/private key with the .net framework
How to measure desktop applicaton usage by users? [closed]
Unity and WCF Library: Where to load unity in a wcf library?
Run T4 text template programmatically
choosing a diagramming library for .Net [closed]
SQL: Sequentially doing UPDATE .WRITE on VarBinary column
Using a WCF Service with Entity Framework 4 and...DTO?
ASP.NET modal popup, entirely from code behind?
Can I change a user's keyboard input?
Cross-Process Drag and Drop of custom object type in WinForms C#
Unique Keys not recognized by Entity Framework
Should I use FxCop and why?
Most flexibilities rule engine for .NET [closed]
RSA: How to generate private key in java and use it in C#?
How to Export data to Excel using LINQ to Entity?
DDD - Entity state transition

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!