ASP NET MVC 4 Custom Authorize Attribute with Permission Codes without roles

Question

I need to control the access to views based on users privilege levels  there are no roles  only privilege levels for CRUD operation levels assigned to users  in my MVC 4 application    As an example  below the AuthorizeUser will be my custom attribute and I need to use it like this    AuthorizeUser AccessLevels  Read Invoice  Update Invoice    public ActionResult UpdateInvoice int invoiceId          some code       return View         AuthorizeUser AccessLevels  Create Invoice    public ActionResult CreateNewInvoice          some code      return View         AuthorizeUser AccessLevels  Delete Invoice    public ActionResult DeleteInvoice int invoiceId         some code      return View        Is it possible to do it this way

User · Answer

If you use the WEB API with Claims  you can use this    AttributeUsage AttributeTargets Method   AttributeTargets Class  Inherited   true  AllowMultiple   true   public class AutorizeCompanyAttribute   AuthorizationFilterAttribute       public string Company   get  set         public override void OnAuthorization HttpActionContext actionContext                var claims     ClaimsIdentity Thread CurrentPrincipal Identity           var claim   claims Claims Where x   gt  x Type     Company   FirstOrDefault             string privilegeLevels   string Join     claim Value                    if  privilegeLevels Contains this Company   false                        actionContext Response   actionContext Request CreateResponse HttpStatusCode Unauthorized   Usuario de Empresa No Autorizado                       HttpGet   AutorizeCompany Company    MyCompany     Authorize Roles   SuperAdmin    public IEnumerable MyAction

User · Answer

Here is a modification for the prev  answer  The main difference is when the user is not authenticated  it uses the original  HandleUnauthorizedRequest  method to redirect to login page      protected override void HandleUnauthorizedRequest AuthorizationContext filterContext                 if  filterContext HttpContext User Identity IsAuthenticated                 filterContext Result   new RedirectToRouteResult                          new RouteValueDictionary                              new                                                               controller    Account                                   action    Unauthorised                                                                              else                        base HandleUnauthorizedRequest filterContext

User · Answer

I could do this with a custom attribute as follows    AuthorizeUser AccessLevel    Create    public ActionResult CreateNewInvoice                   return View        Custom Attribute class as follows   public class AuthorizeUserAttribute   AuthorizeAttribute          Custom property     public string AccessLevel   get  set         protected override bool AuthorizeCore HttpContextBase httpContext                var isAuthorized   base AuthorizeCore httpContext           if   isAuthorized                                        return false                     string privilegeLevels   string Join     GetUserRights httpContext User Identity Name ToString         Call another method to get rights of the user from DB          return privilegeLevels Contains this AccessLevel                        You can redirect an unauthorised user in your custom AuthorisationAttribute by overriding the HandleUnauthorizedRequest method   protected override void HandleUnauthorizedRequest AuthorizationContext filterContext        filterContext Result   new RedirectToRouteResult                  new RouteValueDictionary                      new                                                        controller    Error                                action    Unauthorised

User · Answer

Maybe this is useful to anyone in the future  I have implemented a custom Authorize Attribute like this    AttributeUsage AttributeTargets Class   AttributeTargets Method  AllowMultiple   true  Inherited   true   public class ClaimAuthorizeAttribute   AuthorizeAttribute  IAuthorizationFilter       private readonly string  claim       public ClaimAuthorizeAttribute string Claim                 claim   Claim             public void OnAuthorization AuthorizationFilterContext context                var user   context HttpContext User          if user Identity IsAuthenticated  amp  amp  user HasClaim ClaimTypes Name   claim                         return                     context Result   new ForbidResult

[asp.net-mvc-4] ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)

Examples related to asp.net-mvc-4

Examples related to authorization

Examples related to custom-attributes