How do I expose built-in security and user management to a MVC application?
https://stackoverflow.com/questions/1172709
-
19-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have built a MVC website on IIS6. I used the built-in ASP.NET Security without Membership, just the way it was implemented in the template solution. It is easy to secure a contoller or action, but now I need to expose the user management to an admin logged into the site. I understand that the builtin ASP controls for doing this are not "best practice" and are a dog to get working. So what is the best practice for offering user management through a ASP.NET MVC application?
I considered using the Entity Framework and wireing it up to the myriad of stored procs. but that seems awkward. I see options for AccountMembershipService and FormsAuthenticationService. That is what the existing project account controller uses. But, I am not fimilliar with either.
I can't help but think that this should have already been there from the project template. This is a fundamental part of any website and you were given 15%, why not the rest?
Solution 4
I have user auth working in a somewhat sane manner now. The biggest hurdle to get over is that it IS ok to use the Membership classes, even though I am not using the Profile aspect of membership. It is easy to get the user name and do Membership.GetUser(UserName). Then you can do many things like Unlock, Approve/Disapprove, change the password and change password question/answer... all the basics I need.
Here are the basics:
'get current logged in user
Dim currentUser As MembershipUser = Membership.GetUser()
'get current logged in user name
Dim userName = currentUser.UserName
'get current user email
Dim userEmail = currentUser.Email
'get a user to edit
Dim editingUser = Membership.GetUser(UserName)
'set the user email
editingUser.Email = newEmail
Membership.UpdateUser(editingUser)
‘unlock user
editingUser.UnlockUser()
‘disapprove user
editingUser.IsApproved = False
Membership.UpdateUser(editingUser)
‘approve user
editingUser.IsApproved = True
Membership.UpdateUser(editingUser)
‘change pw
editingUser.ChangePassword(oldPw, newPw)
and that is mostly all there is too it
OTHER TIPS
As far as I can tell, you are using SqlMembershipProvider as your Membership Provider implementation. I would strongly suggest that you have a look at some of the methods of MembershipUser and MembershipProvider classes (such as CreateUser, etc) to achieve what you are trying to do instead of working with the underlying database tables used for the implementation.
You can also have a look at this article for an in depth intro to ASP.NET's Membership, Roles, and Profile providers.
Check out this project at CodePlex: ASP.Net MVC Membership Starter Kit
I don't know about "best practice" but this is how I would do it (and how it is sort of written in "Professional ASP.NET MVC 1.0"):
You should have a custom (or the default) ProfileProvider and MembershipProvider in place for this to work.
Create a controller which handles all the member management actions eg. MemberAdminController
This controller should have the Authorize[Roles="Administrator"] attribute specified so all actions in this controller will only be handled if the user is in the Administrator role.
Now you can build the CRUD views and actions how you would like using only this controller.
In MvcCms we used the RoleProvider out of the box but converted the membership provider over to entity.
http://mvccms.codeplex.com/SourceControl/changeset/view/56727#994414
