.net MVC 4 Authorization (Membership)

Question

During my first steps in .NET MVC 4 I'm creating a web site and I would like to implement users authentication/authorization.

In my implementation I would like to be able to link controls to roles. For example, if I have 2 Roles in my system : Admin and User, the in some view say I have 3 inputs:

            <input class="search-field rounded" id="field1" type="text"/>
            <input type="submit" name="submit"/>

            <input class="search-field rounded" id="field2" type="text"/>
            <input type="submit" name="submit"/>

            <input class="search-field rounded" id="field3" type="text"/>
            <input type="submit" name="submit"/>

I would like that an Admin will be able to see and edit all 3 fields in this view, but a User should only see 2 of them, and be able to edit one of them (this is just an example).

So basically, I would like to be able to define permissions for controls, and a role should be consisted of a collection of permissions (If you can think of a better approach I would love to hear it).

So those are my constraints, and I see quite a few packages out there (such as Fluent Security, and Security Guard) that relates to the subject, but I'm not quite sure which is best to tackle my challenge if at all.

Is there a best practice to overcome this demand?

Any help is highly appreciated.

Answer 1

I ended up creating my own custom membership provider and role provider.

In my Role Provider I added a method

public bool UserHasPermission(string username, string permission) {...}

And in my view I'm doing:

@{
    var roleProvider = Roles.Provider as MyCustomRoleProvider;
    bool addressEditPermission = roleProvider.UserHasPermission(User.Identity.Name, "addressEditPermission");
}

Then I can manipulate my control:

@Html.TextBoxFor(model => model.Name, new { @readonly = addressEditPermission })

You just need to make sure your control has overloads that take HTML attributes.

I hope this helps someone..

Answer 2

idlehands23 has shown how you might access and check roles but i'm guessing you want to use this functionality at the view level.

Within an action method, I usually pass HttpContext.User into the ViewBag or in the case of a strongly typed view you can pass the principal into your model and parse these values out as you wish. Then pass the model to the view like so.

return View(new ModelClass(HttpContext.User))

From here you can add additional code into the view logic to parse/check the roles and render the html with greater specificity using for example:

If (Model.User.IsInRole("Admin"))
{
    //Render admin controls
    //...
}
else
{
   //Render User Controls
   //...
}

Using the [Authorize(Role="Admin||User")] attribute on your action method would restrict access to an entire group of users. In such a case you would need two action methods and one or possibly two distinct views to render the content. However if you just want to limit it to ANY authorized user you can do like so:

    [Authorize]
    public ActionResult Index(){}

Then you can implement the logic at the view level with the certainty that they are authorized.

Answer 3

I have done it this way:

//In Controller
ViewBag.Roles = Roles.GetRolesForUser(User.Identity.Name);//viewbag because I'm assuming this isn't what you want to strongly type to your page.

//In View
@{
  var roles = (Roles)ViewBag.Roles;
} 
if(roles.contains("admin')) //put whatever you want in place of "admin"
{
    //do something
}

in your controller you can give access to certain views or partial views this way //in controller if you want it.
[Authorize(Roles = "Admin, ImportExport, Search")] //this is just for security public ActionResult whatever(){} *I use razor. replace @ with <% %> if your not.