I want to secure controller action so that only users with role "Admin" can get in.
I don't use Role/Membership provider at all everything is custom.
I made this so far:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var isAuthorized = base.AuthorizeCore(httpContext);
if (!isAuthorized)
return false;
string username = httpContext.User.Identity.Name;
UserRepository repo = new UserRepository();
return repo.IsUserInRole(username, "Admin");
}
}
Notice that I hardcoded "Admin" here.
I want that this be dynamic.
This work now:
[CustomAuthorize]
public ActionResult RestrictedArea()...
But I want something like this:
[CustomAuthorize(Roles = "Admin")]
public ActionResult RestrictedArea()
AuthorizeAttribute
already has Roles
property which can be used for this purpose:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var isAuthorized = base.AuthorizeCore(httpContext);
if (!isAuthorized)
{
return false;
}
string username = httpContext.User.Identity.Name;
UserRepository repo = new UserRepository();
return repo.IsUserInRole(username, this.Roles);
}
}