Last post Jul 20, 2017 08:02 AM by flexabust
Jul 13, 2017 01:23 PM|flexabust|LINK
I have a pretty broad question about the implementation of authorizations in my ASP.NET MVC project. Until now I have built a dynamic menu that changes according to a user's roles, knowing that:
- The user is authenticated through Active Directory
- The user's AD groups are linked with the Server DB that contains Profiles, which in turn are attached to ressources
This means, that I make several relations to deduce which documents / ressources a user can access. I have generated this menu successfully but I know realized that with Url parameters, one can access a ressource without the correct privileges. I have put
an [Authorize] attribute everywhere to not access without login.
My problem being that I have a LOT of different Profiles, and I'm not sure it would be wise to add an
[Authorize(Roles = "RoleName")] attribute for each of them, that would take lots of time and I would have to do a lot of DB checking(since I'd have to put authorizations for each profile every time I add a controller method). I'll add that I implemented
authentication as suggested here :
Would you have any ideas to handle this?
Jul 13, 2017 02:25 PM|codemovement.pk|LINK
Mostly used and simple convention that should be used is
"Role1, Role2, Role3"
You can also make a custom class for roles like
public static class CustomRoles
public const string Administrator = "Administrador";
public const string User= "Usuario";
[Authorize(Roles = CustomRoles.Administrator +","+ CustomRoles.User)]
Jul 13, 2017 02:34 PM|flexabust|LINK
Thank you for your answer!
This is the solution I'm apprehending, because it will be very time consuming. Do you believe this to be the only option?
Jul 13, 2017 03:31 PM|codemovement.pk|LINK
Thanks for the reply.
Discussing what you need in simple words is like single permission is assigned to an Action. Each logged in user must have a
Role. Our Custom implementation will just check if user Role has mentioned Permission or not.
In MVC, this can better be achieved by Claim based Authentication as well.
Jul 20, 2017 08:02 AM|flexabust|LINK
Thanks, this is exactly what I was looking for (and sorry for late reply)