0

Is there a way to set a group of actions inside of a controller to require the user to be in a certain role?

So for example if I have 5 Actions that I want to require the user to be in a "Recruiting" role can I group the code and then have all those action require the same Role based off of a single Annotation?

Inversely if that isn't possible is there a way to mark the class to require a certain role and them is there an annotation to set a few actions to ignore this requirement?

Lastly if this isn't an option can you use partial classes to accomplish this?

Any other methods I'm not thinking of that would work.

Jared
  • 5,054
  • 4
  • 45
  • 75
  • 1
    You are wondering if many methods can have the same authorization, but not necessarily all of them? – Skitterm Jul 12 '12 at 22:38
  • Not exactly, I'm wanting to apply a single Annotation to a group of Actions. It's primarily a laziness issue on my part, but I'd prefer to not have to Annotate 5 actions the exact same IF there is a way to annotate a group of actions – Jared Jul 12 '12 at 22:43
  • Also, it will be more then 5 actions, that's just an arbitrary number I threw out there. – Jared Jul 12 '12 at 22:44
  • I tried adding an authorize statement before the entire controller and then a different one right before one of the methods; it just stacked them, so that anyone that wanted that method had to belong to both. hm. – Skitterm Jul 12 '12 at 22:48

2 Answers2

1

Jared,

This is what I would do, but it doesn't get around the problem of having to do it for each one:

[Authorize]
public class HomeController : Controller

[Authorize(Roles = "Recruiter")]
public ActionResult MethodOne()
{

}

It looks like your answer lies here:

Overriding controller AuthorizeAttribute for just one action

The answer to that question appears to hit on yours as well--using the Order property to set the least restrictive authorization to the controller and the most restrictive to the method.

Set the controller to this one (the one of most methods), and for the ones you want exempt (the fewer), make your authorize statement more restrictive.

Community
  • 1
  • 1
Skitterm
  • 3,548
  • 7
  • 33
  • 52
  • If an Order authorization is put in front of the controller, it won't be overridden as far as I can tell. However, if put in front of the index, it can be. – Skitterm Jul 12 '12 at 23:14
  • Yea I'm aware of doing this, but I actually don't require any authentication of a few of the actions. – Jared Jul 12 '12 at 23:16
  • Set them for a higher order but without any other requirements: i.e. [Authorize(Order = n+1)], instead of [Authorize(Order = n+1, Roles = "Whatever")] – Skitterm Jul 12 '12 at 23:20
  • I've actually rolled a custom `[Auth]` annotation, because the IT Department users all basically have access to whatever and I didn't want to have to specifically list our role in the roles list. So, are you aware of a way to catch the Role that is being checked against? So for example if I do a `[Auth(Roles = "IgnoreAuth")]` can I catch the "IgnoreAuth" inside the custom attribute? If you are not sure I'll open a new question. I'm going to do some additional searching after posting this Note... – Jared Jul 12 '12 at 23:37
0

After much looking it doesn't appear that there is a way to apply an [Authorize] attribute to a group of actions (that I've been able to find). It appears that you have to either apply it to the class or an individual action. While Skitterm's answer is a good option it didn't solve the issue I was hoping to resolve.

Jared
  • 5,054
  • 4
  • 45
  • 75