Allow multiple roles to access controller action

Question

Right now I decorate a method like this to allow  members  to access my controller action   Authorize Roles  members      How do I allow more than one role  For example the following does not work but it shows what I am trying to do  allow  members  and  admin  access     Authorize Roles  members    admin

User · Answer

For MVC4  using a Enum  UserRoles  with my roles  I use a custom AuthorizeAttribute   On my controlled action  I do    CustomAuthorize UserRoles Admin  UserRoles User   public ActionResult ChangePassword         return View        And I use a custom AuthorizeAttribute like that    AttributeUsage AttributeTargets Method   AttributeTargets Class  Inherited   true  AllowMultiple   true   public class CustomAuthorize   AuthorizeAttribute       private string   UserProfilesRequired   get  set         public CustomAuthorize params object   userProfilesRequired                if  userProfilesRequired Any p   gt  p GetType   BaseType    typeof Enum                throw new ArgumentException  userProfilesRequired             this UserProfilesRequired   userProfilesRequired Select p   gt  Enum GetName p GetType    p   ToArray               public override void OnAuthorization AuthorizationContext context                bool authorized   false           foreach  var role in this UserProfilesRequired              if  HttpContext Current User IsInRole role                                 authorized   true                  break                         if   authorized                        var url   new UrlHelper context RequestContext               var logonUrl   url Action  Http    Error   new   Id   401  Area                      context Result   new RedirectResult logonUrl                return                      This is part of modifed FNHMVC by Fabricio Mart  nez Tamayo https   github com fabriciomrtnz FNHMVC

User · Answer

If you find yourself applying those 2 roles often you can wrap them in their own Authorize  This is really an extension of the accepted answer   using System Web Mvc   public class AuthorizeAdminOrMember   AuthorizeAttribute       public AuthorizeAdminOrMember                 Roles    members  admin             And then apply your new authorize to the Action  I think this looks cleaner and reads easily   public class MyController   Controller        AuthorizeAdminOrMember      public ActionResult MyAction                 return null

User · Answer

Using AspNetCore 2 x  you have to go a little different way    AttributeUsage AttributeTargets Method   AttributeTargets Class  Inherited   true  AllowMultiple   true   public class AuthorizeRoleAttribute   AuthorizeAttribute       public AuthorizeRoleAttribute params YourEnum   roles                Policy   string Join      roles Select r   gt  r GetDescription                just use it like this    Authorize YourEnum Role1  YourEnum Role2

User · Answer

Another option is to use a single authorize filter as you posted but remove the inner quotations    Authorize Roles  members admin

User · Answer

Intent promptInstall   new Intent android content Intent ACTION VIEW   promptInstall setFlags Intent FLAG ACTIVITY NEW TASK   promptInstall setDataAndType Uri parse  http   10 0 2 2 8081 MyAPPStore apk Teflouki apk     application vnd android package-archive      startActivity promptInstall

User · Answer

Better code with adding a subclass AuthorizeRole cs       AttributeUsage AttributeTargets Method   AttributeTargets Class  Inherited   true  AllowMultiple   true       class AuthorizeRoleAttribute   AuthorizeAttribute               public AuthorizeRoleAttribute params Rolenames   roles                        this Roles   string Join      roles Select r   gt  Enum GetName r GetType    r                       protected override void HandleUnauthorizedRequest System Web Mvc AuthorizationContext filterContext                        if  filterContext HttpContext Request IsAuthenticated                                filterContext Result   new RedirectToRouteResult                  new RouteValueDictionary                        action    Unauthorized                          controller    Home                          area                                                               base HandleUnauthorizedRequest filterContext                             else                               filterContext Result   new RedirectToRouteResult                  new RouteValueDictionary                        action    Login                          controller    Account                          area                              returnUrl   HttpContext Current Request Url                                                                        How to use this   AuthorizeRole Rolenames Admin Rolenames Member    public ActionResult Index     return View

User · Answer

One possible simplification would be to subclass AuthorizeAttribute   public class RolesAttribute   AuthorizeAttribute       public RolesAttribute params string   roles                Roles   String Join      roles             Usage    Roles  members    admin      Semantically it is the same as Jim Schmehil s answer

User · Answer

You can use Authorization Policy in Startup cs     services AddAuthorization options   gt                options AddPolicy  quot admin quot   policy   gt  policy RequireRole  quot SuperAdmin quot   quot Admin quot             options AddPolicy  quot teacher quot   policy   gt  policy RequireRole  quot SuperAdmin quot    quot Admin quot    quot Teacher quot              And in Controller Files    Authorize Policy    quot teacher quot      HttpGet  quot stats  id  quot     public async Task lt IActionResult gt  getStudentStats int id             quot teacher quot  policy accept 3 roles

User · Answer

Another clear solution  you can use constants to keep convention and add multiple  Authorize  attributes  Check this out   public static class RolesConvention       public const string Administrator    Administrator       public const string Guest    Guest       Then in the controller    Authorize Roles   RolesConvention Administrator     Authorize Roles   RolesConvention Guest    Produces  application json     Route  api  controller     public class MyController   Controller

User · Answer

If you want use custom roles  you can do this   CustomRoles class    public static class CustomRoles       public const string Administrator    Administrador       public const string User    Usuario       Usage   Authorize Roles   CustomRoles Administrator       CustomRoles User     If you have few roles  maybe you can combine them  for clarity  like this   public static class CustomRoles        public const string Administrator    Administrador        public const string User    Usuario        public const string AdministratorOrUser   Administrator         User        Usage   Authorize Roles   CustomRoles AdministratorOrUser

[asp.net-mvc] Allow multiple roles to access controller action

Examples related to asp.net-mvc

Examples related to controller

Examples related to roles