How to add 'pass parameter' to custom AuthorizeAttribute

1110 picture 1110 · Feb 23, 2013 · Viewed 18.1k times · Source

I want to secure controller action so that only users with role "Admin" can get in.
I don't use Role/Membership provider at all everything is custom.
I made this so far:

public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);            
        if (!isAuthorized)
            return false;

        string username = httpContext.User.Identity.Name;

        UserRepository repo = new UserRepository();

        return repo.IsUserInRole(username, "Admin");
    }
}

Notice that I hardcoded "Admin" here.
I want that this be dynamic.
This work now:

[CustomAuthorize]
        public ActionResult RestrictedArea()...

But I want something like this:

[CustomAuthorize(Roles = "Admin")]
        public ActionResult RestrictedArea()

Answer

Zbigniew picture Zbigniew · Feb 23, 2013

AuthorizeAttribute already has Roles property which can be used for this purpose:

public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);            
        if (!isAuthorized)
        {
            return false;
        }

        string username = httpContext.User.Identity.Name;

        UserRepository repo = new UserRepository();

        return repo.IsUserInRole(username, this.Roles);
    }
}