SyntaxFix

[asp.net-mvc-4] ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)

I need to control the access to views based on users privilege levels (there are no roles, only privilege levels for CRUD operation levels assigned to users) in my MVC 4 application.

As an example; below the AuthorizeUser will be my custom attribute and I need to use it like this:

[AuthorizeUser(AccessLevels="Read Invoice, Update Invoice")]
public ActionResult UpdateInvoice(int invoiceId)
{
   // some code...
   return View();
}


[AuthorizeUser(AccessLevels="Create Invoice")]
public ActionResult CreateNewInvoice()
{
  // some code...
  return View();
}


[AuthorizeUser(AccessLevels="Delete Invoice")]
public ActionResult DeleteInvoice(int invoiceId)
{
  // some code...
  return View();
}

Is it possible to do it this way?

This question is related to asp.net-mvc-4 authorization custom-attributes

The answer is

Here is a modification for the prev. answer. The main difference is when the user is not authenticated, it uses the original "HandleUnauthorizedRequest" method to redirect to login page:

   protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {

        if (filterContext.HttpContext.User.Identity.IsAuthenticated) {

            filterContext.Result = new RedirectToRouteResult(
                        new RouteValueDictionary(
                            new
                            {
                                controller = "Account",
                                action = "Unauthorised"
                            })
                        );
        }
        else
        {
             base.HandleUnauthorizedRequest(filterContext);
        }
    }

Maybe this is useful to anyone in the future, I have implemented a custom Authorize Attribute like this:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class ClaimAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    private readonly string _claim;

    public ClaimAuthorizeAttribute(string Claim)
    {
        _claim = Claim;
    }

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var user = context.HttpContext.User;
        if(user.Identity.IsAuthenticated && user.HasClaim(ClaimTypes.Name, _claim))
        {
            return;
        }

        context.Result = new ForbidResult();
    }
}

If you use the WEB API with Claims, you can use this:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class AutorizeCompanyAttribute:  AuthorizationFilterAttribute
{
    public string Company { get; set; }

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        var claims = ((ClaimsIdentity)Thread.CurrentPrincipal.Identity);
        var claim = claims.Claims.Where(x => x.Type == "Company").FirstOrDefault();

        string privilegeLevels = string.Join("", claim.Value);        

        if (privilegeLevels.Contains(this.Company)==false)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "Usuario de Empresa No Autorizado");
        }
    }
}
[HttpGet]
[AutorizeCompany(Company = "MyCompany")]
[Authorize(Roles ="SuperAdmin")]
public IEnumerable MyAction()
{....
}

Source: Stackoverflow.com

Examples related to asp.net-mvc-4

Better solution without exluding fields from Binding How to remove error about glyphicons-halflings-regular.woff2 not found When should I use Async Controllers in ASP.NET MVC? How to call controller from the button click in asp.net MVC 4 How to get DropDownList SelectedValue in Controller in MVC Return HTML from ASP.NET Web API There is no ViewData item of type 'IEnumerable<SelectListItem>' that has the key country Return JsonResult from web api without its properties how to set radio button checked in edit mode in MVC razor view How to call MVC Action using Jquery AJAX and then submit form in MVC?

Examples related to authorization

How to send custom headers with requests in Swagger UI? How do you create a custom AuthorizeAttribute in ASP.NET Core? ASP.NET Web API : Correct way to return a 401/unauthorised response How to get http headers in flask? How to define the basic HTTP authentication using cURL correctly? basic authorization command for curl MongoDB "root" user How to use basic authorization in PHP curl How to get user name using Windows authentication in asp.net? Python requests library how to pass Authorization header with single token

Examples related to custom-attributes

Android findViewById() in Custom View ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles) jquery: get value of custom attribute How to create a custom attribute in C# How do I read an attribute on a class at runtime?

Tags

Side-by-side Ploneformgen System-information Coldspring Compute-shader Virtual-desktop Tablespace Oauth-provider Onfocus Pony Esper Audio-converter Radius-protocol Intellisense Local Tinn-r Pinning Opennetcf Copywithzone Cascade Transliteration Writers Localhost Help-files Cisco-ios Geopy Rackspace Exact-match Mobile-browser Asp.net-roles Cinch Caption Media-player C5 Innertext Mobilink Web-analytics Traffic Embedded-media Fault Splitcontainer Mex Iequalitycomparer Sage Extend Date-formatting Boost-thread Java-io Gtk Binary-operators Bus Umdh Ctor-initializer Usrp Datagridviewtextboxcell External-assemblies Drawdib Jdom Moss2007-security Pygresql Viewing Webui External-js Async-workflow Dialect2 Launch Object-relationships Updateprogress Formal-verification System-procedures Android-controls Scrollable Android-framework Cairo Image-scaling Rras User-config Vesa Patch Par Ip-protocol Libpurple Qstandarditemmodel Js-test-driver Rubyosa Nsapplication Silent Portal-server Filereader Hindley-milner Task Aggregators Syscache2 Syncback Embedded-video .nettiers Web-application-design Achievements Ubuntu-server Tipfy