Dynamic Access Control for ASP.NET MVC
ASP.NET MVC has a built-in ability to restrict access to certain controllers and their actions. This feature is provided by the
So let's get started. We create a new project in Visual Studio, select the type ASP.NET MVC 3 Web Application, call DynamicAuthorize . We are waiting for the studio to generate the project.
How to store and define access rights can be done in various ways: in the database , retrieved from a remote service, in an xml file, etc. It all depends on the task and your preferences. For an example, in order not to be distracted by the implementation of these mechanisms, we will make a class that returns permissions information, and replace it with the implementation you need, I think it will not cause problems. Actually
The class is elementary, so I don’t need to explain what it does. As for the authorization itself, MVC has an
In the passed parameter of the type
This, in fact, the creation of dynamic authorization is completed. I said it was not difficult. Well, proceed to the tests. Let's create two additional actions (two were kindly created by the studio) of the
We create representations for them (I used the Visual Studio generator)
And mark the controller with our newly created attribute:
Add links to the created controller actions to the
Now you need to build a project, press Ctrl + Shift + B , it should work without errors.
Now we will create test users, we launch ASP.NET Admin tools
Go to the "Security" section and add 2 users with the names user1 and user2 . Everything can run the project. Now, if you click on one of the links without logging in, you will get an access error. If you log in as user1, the Test action will be available, but not Edit. If you log in as user2, then the opposite is true.
In conclusion, I would like to say that, despite the simplicity of implementation, beginners often have a question about how to organize dynamic access rights checking. I hope this post will help people faced with this issue to cope with it and make the authorization exactly as it was intended.
Download the project here .
AuthorizeAttribute attribute, but it clearly lacks the capabilities and flexibility (or rather, there are practically none). Rights can be defined only at the development stage and cannot be changed without recompiling. But to create your own attribute with the necessary functionality is not at all difficult.So let's get started. We create a new project in Visual Studio, select the type ASP.NET MVC 3 Web Application, call DynamicAuthorize . We are waiting for the studio to generate the project.
How to store and define access rights can be done in various ways: in the database , retrieved from a remote service, in an xml file, etc. It all depends on the task and your preferences. For an example, in order not to be distracted by the implementation of these mechanisms, we will make a class that returns permissions information, and replace it with the implementation you need, I think it will not cause problems. Actually
PermissionManager class: public class PermissionManager { public bool ValidatePermissions(string controller, string action, string user) { bool isUserAccess = false; if (user == "user1" && controller == "Home") { switch (action) { case "Test": isUserAccess = true; break; } } if (user == "user2" && controller == "Home") { switch (action) { case "Edit": isUserAccess = true; break; } } // " " if (controller == "Home" && (action == "Index" || action == "About")) { isUserAccess = true; } return isUserAccess; } } The class is elementary, so I don’t need to explain what it does. As for the authorization itself, MVC has an
IAuthorizationFilter interface, in which the only OnAuthorization method is OnAuthorization . This method is called if necessary to authorize the user, i.e. check if he has rights to this operation. This is exactly what we need. Well, enough of the theory, let's start creating the attribute itself, i.e. class DynamicAuthorizeAttribute : public class DynamicAuthorizeAttribute : FilterAttribute, IAuthorizationFilter { public void OnAuthorization(AuthorizationContext filterContext) { PermissionManager permissionManager = new PermissionManager(); string action = filterContext.ActionDescriptor.ActionName; string controller = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName; string user = filterContext.HttpContext.User.Identity.Name; if (!permissionManager.ValidatePermissions(controller, action, user)) { throw new UnauthorizedAccessException(" "); } } } In the passed parameter of the type
AuthorizationContext there are many useful properties that make it possible to organize the checking of access rights in many ways, but in this case the check is elementary, we just use the method of the PermissionManager class.This, in fact, the creation of dynamic authorization is completed. I said it was not difficult. Well, proceed to the tests. Let's create two additional actions (two were kindly created by the studio) of the
Home controller: public ActionResult Test() { return View(); } public ActionResult Edit() { return View(); } We create representations for them (I used the Visual Studio generator)
And mark the controller with our newly created attribute:
[Attributes.DynamicAuthorize] public class HomeController : Controller Add links to the created controller actions to the
Index view: <p> @Html.ActionLink("Test", "Test") </p> <p> @Html.ActionLink("Edit", "Edit") </p> Now you need to build a project, press Ctrl + Shift + B , it should work without errors.
Now we will create test users, we launch ASP.NET Admin tools
Go to the "Security" section and add 2 users with the names user1 and user2 . Everything can run the project. Now, if you click on one of the links without logging in, you will get an access error. If you log in as user1, the Test action will be available, but not Edit. If you log in as user2, then the opposite is true.
In conclusion, I would like to say that, despite the simplicity of implementation, beginners often have a question about how to organize dynamic access rights checking. I hope this post will help people faced with this issue to cope with it and make the authorization exactly as it was intended.
Download the project here .
')
Source: https://habr.com/ru/post/137581/
All Articles