Dynamically add roles to authorize attribute for controller

c# asp.net asp.net-mvc asp.net-identity authorize-attribute
barnacle.m picture barnacle.m · May 7, 2015 · Viewed 25.4k times · Source

I need to enable my admin user to change access permissions for users on the fly, such that they can create new Roles and add permissions to those Roles.

I want to be able to create an Authorize attribute to stick above my controller class that I can add roles to from a database, so that I don't have to 'set' the roles during development, as in [Authorize(Roles="Role1, Role2")] etc.

So something like [Authorize(Roles = GetListOfRoles()]

I found this question - ASP.NET MVC Authorize user with many roles which does something similar but maybe there's a way to change this such that it gets a list of permissions/roles from the db?

Answer

barnacle.m picture barnacle.m · May 21, 2015

This is how I pulled off an attribute that could authorize users per method based on the permissions of the role of that user. I hope this helps somebody else:

/// <summary>
/// Custom authorization attribute for setting per-method accessibility 
/// </summary>
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class SetPermissionsAttribute : AuthorizeAttribute
{
    /// <summary>
    /// The name of each action that must be permissible for this method, separated by a comma.
    /// </summary>
    public string Permissions { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        SalesDBContext db = new SalesDBContext();
        UserManager<ApplicationUser> userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
        ApplicationDbContext dbu = new ApplicationDbContext();

        bool isUserAuthorized = base.AuthorizeCore(httpContext);

        string[] permissions = Permissions.Split(',').ToArray();

        IEnumerable<string> perms = permissions.Intersect(db.Permissions.Select(p => p.ActionName));
        List<IdentityRole> roles = new List<IdentityRole>();

        if (perms.Count() > 0)
        {
            foreach (var item in perms)
            {
                var currentUserId = httpContext.User.Identity.GetUserId();
                var relatedPermisssionRole = dbu.Roles.Find(db.Permissions.Single(p => p.ActionName == item).RoleId).Name;
                if (userManager.IsInRole(currentUserId, relatedPermisssionRole))
                {
                    return true;
                }
            }
        }
        return false;
    }
}

Related questions

How to get current user, and how to use User class in MVC5?

How can I get the id of the currently logged in user in MVC 5? I tried the StackOverflow suggestions, but they seem to be not for MVC 5. Also, what is the MVC 5 best practice of assigning stuff to the users? (…

Read More
ASP.NET Identity - HttpContext has no extension method for GetOwinContext

I have downloaded, and successfully ran the ASP.NET Identity sample from here: https://github.com/rustd/AspnetIdentitySample I am now in the middle of implementing the ASP.NET Identity framework in my project and have ran into a problem, …

Read More
Get UserID of logged-in user in Asp.Net MVC 5

I'm relatively new to ASP.Net MVC and try to use the built-in user login functionality now. I'm able to register an user in the registration view. If I try to login with the created user this also works. I'm …

Read More