1

I am trying to figure out how to prevent access to a controller's method if user is not logged in or is not an admin. I have a class with variables inside which keep track of the user and his state (logged in, admin, etc.).

I think this can be done by using a ValidationAttribute. I have not used this technique before so I am probably doing something wrong.

AccountController.CS

[AdminUserValidation]
public ActionResult Index()
{          
        var account1 = account.GetAccountsWithType();
        return View(account1.ToList());
}

AdminUserValidation.CS

public class AdminUserValidationAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if (UserSession.Current.IsAdmin)
        {
            //Allow access to the controller's method
        }
        else
        {
            //Prevent access to the controller's method and show error page (bad request/forbidden)
        }
        base.OnActionExecuting(filterContext);
    }
}
Improve this question
3
  • 2
    AuthorizeAttribute will be your friend here. Commented Aug 15, 2016 at 15:53
  • I do not want to use the build-in UserManager since that means I have to store my users inside that build-in database. I use my own database for the users and their roles. Is there any way I can validate this by using my 'UserSession.Current‌​.IsAdmin' variable? Commented Aug 15, 2016 at 16:10
  • I also use my own table structure, with a custom built membership/role provider. Commented Aug 15, 2016 at 16:32

2 Answers 2

Reset to default
1

This functionality is already is User Roles, you need to assign each user a role using the UserManager like so:

User user = UserManager.FindById(userID);       
UserManager.AddToRole(userID, roleID);

The role IDs can be created by you, there is a default table called "AspNetRoles" which is where the roleID will be stored and AddToRole will insert records into "AspNetUserRoles".

Then in your controller you can specify which roles should be able to access the entire controller or individual methods.

[Authorize(Roles = "Admin")]
public class AdminController : Controller
{
    ...
}

Users will need to log out and back in for the role to take effect as it is stored in a cookie.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

If you want more of a fine grain authorization, you can use Claims: bitoftech.net/2015/03/31/…
I do not want to use the build-in UserManager since that means I have to store my users inside that build-in database. I use my own database for the users and their roles. Is there any way I can validate this by using my 'UserSession.Current.IsAdmin' variable?
You can use UserManager with a different database schema, you just need to implement the interfaces. Unfortunately I haven't done this myself so I'm not sure on the specifics. If you want to do it your way you can do something like if (UserSession.Current.IsAdmin) { throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.Unauthorized)); } base.OnActionExecuting(actionContext);
0

I solved the issue by using the following code:

AccountController.CS

 [AdminUserValidation]
    public ActionResult Index()
    {          
        var account1 = account.GetAccountsWithType();
        return View(account1.ToList());
    }

AdminUserValidation.CS

public class AdminUserValidationAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if (UserSession.Current.IsAdmin == false)
        {
            //Prevent access to the controller's method and show error page (bad request/forbidden)
            filterContext.Result = new HttpStatusCodeResult(HttpStatusCode.Forbidden);
        }
        base.OnActionExecuting(filterContext);
    }
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.