ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)

asp.net-mvc-4 authorization custom-attributes
chatura picture chatura · Nov 7, 2012 · Viewed 150k times · Source

I need to control the access to views based on users privilege levels (there are no roles, only privilege levels for CRUD operation levels assigned to users) in my MVC 4 application.

As an example; below the AuthorizeUser will be my custom attribute and I need to use it like this:

[AuthorizeUser(AccessLevels="Read Invoice, Update Invoice")]
public ActionResult UpdateInvoice(int invoiceId)
{
   // some code...
   return View();
}


[AuthorizeUser(AccessLevels="Create Invoice")]
public ActionResult CreateNewInvoice()
{
  // some code...
  return View();
}


[AuthorizeUser(AccessLevels="Delete Invoice")]
public ActionResult DeleteInvoice(int invoiceId)
{
  // some code...
  return View();
}

Is it possible to do it this way?

Answer

chatura picture chatura · Nov 8, 2012

I could do this with a custom attribute as follows.

[AuthorizeUser(AccessLevel = "Create")]
public ActionResult CreateNewInvoice()
{
    //...
    return View();
}

Custom Attribute class as follows.

public class AuthorizeUserAttribute : AuthorizeAttribute
{
    // Custom property
    public string AccessLevel { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {                
            return false;
        }

        string privilegeLevels = string.Join("", GetUserRights(httpContext.User.Identity.Name.ToString())); // Call another method to get rights of the user from DB

        return privilegeLevels.Contains(this.AccessLevel);           
    }
}

You can redirect an unauthorised user in your custom AuthorisationAttribute by overriding the HandleUnauthorizedRequest method:

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                    new
                        { 
                            controller = "Error", 
                            action = "Unauthorised" 
                        })
                );
}

Related questions

ASP.NET MVC 4 custom Authorize attribute - How to redirect unauthorized users to error page?

I'm using a custom authorize attribute to authorize users' access based on their permission levels. I need to redirect unauthorized users (eg. user tries to delete an invoice without Delete acess level) to access denied page. The custom attribute is …

Read More
How to use JWT in MVC application for authentication and authorization?

I planned to use ASP.NET Identity 2.0 in an ASP.NET MVC application for authentication and authorization. Referring the below link JSON Web Token in ASP.NET Web API 2 using Owin I was able to create a access token(JWT) …

Read More
Accessing post or get parameters in custom authorization MVC4 Web Api

Is it possible to access post or get parameters via the HttpActionContext object? I have a set of sensors that loggs data to a web server that provides a REST api. I would like to introduce some sort of authentication/…

Read More