1

I have a database table where all the company employees are listed. They have roles (a, b, c) defined to each employee. for e.g. employee 1 has role a, employe 2 has role b and so on.

Now, i want to check if employe has either of the 3 roles. if yes, provide that user access to website. if no roles mentioned to that user, deny access. The c# code should be able to take the windows login information and then query the database.

can anyone please let me know how to use C# code and start off with things

Improve this question
5
  • @Hogan- :( i know it sounds very basic to you. but any help is appreciated mate. Commented Feb 4, 2016 at 20:11
  • Then use Windows authentication. It's made for that... Commented Feb 4, 2016 at 20:12
  • @AdrianoRepetti- do i use only this ? code.msdn.microsoft.com/windowsdesktop/… Commented Feb 4, 2016 at 20:16
  • I was just talking with a co-worker about one idea of implementing custom security. See here: www-asp.azureedge.net/v-2016-02-03-001/media/4773381/… My thought is extending the ActionFilter class that gets called by controllers and methods alike that will perform the base method and then proceed with your own logic to proceed or discontinue a user of accessing parts of your site. I perform a db call to a table which is a cross tab of users and roles and ensure they have the minimal credentials to continue. Commented Feb 4, 2016 at 20:24
  • 1
    @Ayesha - It is not that it sounds basic -- it is that I have no idea how to help you. This is like saying I want a blue box. How do I get a blue box? While the question can be answered it is probably not useful unless more information is given... what will the box be used for, what size box do you want... etc. Commented Feb 4, 2016 at 21:20

1 Answer 1

Reset to default
2

A Filter Attribute that extends AuthorizeAttribute. It gets the roles for the user in the database and compares with the roles assigned to each controller or method.

public class UserRoleAuthorize : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        //Data Repository. Getting data from database
        var repository = new LoginRoleRepository();
        //GetCharacterSeparator is an Extension method of String class
        //It seperates the comma separated roles.
        //The data comes from the controller
        var roles = Roles.GetCharacterSeparator(',', true);

        if (httpContext.User.Identity.IsAuthenticated)
        {
            //Here I check if the user is in the role, you can have your own logic. The data is gotten from DB.
            var userRoles =
                repository.All().Where(obj => obj.Login.Username == httpContext.User.Identity.Name).Single().Roles;


            foreach (var role in roles)
                if (userRoles.Any(obj => obj.Name == role))
                    return true;
        }
        return false;
    }
}

Then you just define the attribute for each method or controller as bellow.

//Both Doctors and Receptionist have access to Patient controller.
[UserRoleAuthorize(Roles="Doctors, Receptionist")]
public class PatientController : Controller
{
     //Both Doctors and Receptionist have access to Schedule an appointment for patients.
     public ActionResult Schedule()
     {
            return View();
     }

     //Only Doctors have access to Treat patients.
     [UserRoleAuthorize(Roles="Doctors")]
     public ActionResult TreatPatient()
     {
            return View();
     }
}

You need to add extra information as:

//Here seperate the roles as Doctor:ReadWrite, Receptionist:Read
//If you see Doctor:ReadWrite means the doctor has Read and Write and so on.
//This code is in AuthorizeCore
var roles = Roles.GetCharacterSeparator(',', true);

//And Add the bellow to the controllers and methods.
[UserRoleAuthorize(Roles="Doctors:Write, Employees:Read")]
Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

You don't need to implement all the methods. I already use this in multiple projects and it is working fine. You just need to implement a login functionality and store the username as Cookie using FormsAuthentication.SetAuthCookie(model.Username, model.RememberMe);
I did not implement in my code. but it can be done easily.
Let me write it myself and I will let you know.
I hope it works for you. If any questions please, let me know.
@Ayesha Are you still in the chat?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.