AuthorizeAttribute with Roles but not hard-coding the Role values
Is it possible to add the Roles but not hard-coding the values like:
[Authorize(Roles="members, admin")]
I would like to retrieve these roles from a database or configuration file where I wouldn't need to rebuild the application if I needed to add/remove Roles for a Controller Action.
I know with the enums it can be done... http://www.vivienchevallier.com/Articles/create-a-custom-authorizeattribute-that-accepts-parameters-of-type-enum but even this is still not flexible enough for my needs; it's still somewhat of a hard-code, even though it is cleaner.
Answer
You can create your custom authorization attribute, that will compare user roles and roles from your configuration.
public class ConfigAuthorizationAttribute: AuthorizeAttribute
{
private readonly IActionRoleConfigService configService;
private readonly IUserRoleService roleService;
private string actionName;
public ConfigAuthorizationAttribute()
{
configService = new ActionRoleConfigService();
roleService = new UserRoleService();
}
protected override void OnAuthorization(AuthorizationContext filterContext)
{
actionName = filterContext.ActionDescription.ActionName;
base.OnAuthorization(filterContext);
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var availableRoles = configService.GetActionRoles(actionName); // return list of strings
var userName = httpContext.User.Identity.Name;
var userRoles = roleService.GetUserRoles(userName); // return list of strings
return availableRoles.Any(x => userRoles.Contains(x));
}
}
I hope it helps you.