Rectangle 27 0

authorization ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)?


[AuthorizeUser(AccessLevel = "Create")]
    public ActionResult CreateNewInvoice()
    {
        //...

        return View();
    }
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectToRouteResult(
                    new RouteValueDictionary(
                        new
                            { 
                                controller = "Error", 
                                action = "Unauthorised" 
                            })
                    );
    }
public class AuthorizeUserAttribute : AuthorizeAttribute
{
    // Custom property
    public string AccessLevel { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {                
            return false;
        }

        string privilegeLevels = string.Join("", GetUserRights(httpContext.User.Identity.Name.ToString())); // Call another method to get rights of the user from DB

        if (privilegeLevels.Contains(this.AccessLevel))
        {
            return true;
        }
        else
        {
            return false;
        }            
    }
}

Custom Attribute class as follows.

I could do this with a custom attribute as follows.

I've tried your example of HandleUnauthorizedRequest but when I specify the RouteValueDictionary, it just redirects to me a route that doesn't exist. It appends the route I want to redirect the user to to the route that the user wanted to access... si I get something like: localhost:9999/admin/Home when I wanted localhost:9999/Home

You can redirect an unauthorised user in your custom AuthorisationAttribute by overriding the HandleUnauthorizedRequest method:

Note
Rectangle 27 0

authorization ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)?


[AuthorizeUser(AccessLevel = "Create")]
public ActionResult CreateNewInvoice()
{
    //...
    return View();
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                    new
                        { 
                            controller = "Error", 
                            action = "Unauthorised" 
                        })
                );
}
public class AuthorizeUserAttribute : AuthorizeAttribute
{
    // Custom property
    public string AccessLevel { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {                
            return false;
        }

        string privilegeLevels = string.Join("", GetUserRights(httpContext.User.Identity.Name.ToString())); // Call another method to get rights of the user from DB

        return privilegeLevels.Contains(this.AccessLevel);           
    }
}

@Emil I would just simply return the boolean that the String.Contains method gave me. But this is irrelevant, i didn't downvote, i just didn't upvote hehe.

@GabrielBB, I wish you would explain more. Does your comment mean I shouldn't follow this solution and that there's something you would change about it? What would you write in place of the if/else? Thank you.

Custom Attribute class as follows.

I could do this with a custom attribute as follows.

I've tried your example of HandleUnauthorizedRequest but when I specify the RouteValueDictionary, it just redirects to me a route that doesn't exist. It appends the route I want to redirect the user to to the route that the user wanted to access... si I get something like: localhost:9999/admin/Home when I wanted localhost:9999/Home

You can redirect an unauthorised user in your custom AuthorisationAttribute by overriding the HandleUnauthorizedRequest method:

Note