1

Is there a way to use...

[Authorize(Roles: "Administrator")]
public class SomeController : Controller
{
    ...
}

...with my own Roles database table, without using SimpleMembershipProvider?

My Users and Roles model classes:

[Table("Users")]
public class UserModel
{
    [Key]
    public Int32 ID { get; set; }

    [Required]
    public String Name { get; set; }

    [Required]
    public String Password { get; set; }

    [Required]
    public virtual RoleModel Role { get; set; }
}

[Table("Roles")]
public class RoleModel
{
    [Key]
    public Int32 ID { get; set; }

    [Required]
    public String Name { get; set; }

    public virtual ICollection<UserModel> Users { get; set; }
}

Does someone have the same problem?

tereško
  • 56,151
  • 24
  • 92
  • 147
  • The Authorize Attribute is indipendent from the MembershipProvider - perhaps you should take a look into the new ASP.NET Identity Model. – TGlatzer Feb 03 '14 at 10:37
  • But how do I tell it to check for roles in my database and not into the default one? –  Feb 03 '14 at 19:56
  • For ASP.NET Identity you just have to implement the Store and fullfill the Interfaces of IRole. – TGlatzer Feb 04 '14 at 07:48
  • You should read my question and answer here: http://stackoverflow.com/questions/21470423/using-asp-net-identity-for-a-role-provider-easily. I just went through this about a week ago. – Gup3rSuR4c Feb 09 '14 at 18:16

2 Answers2

1

You should create your own Authorize attribute by inheriting from AuthorizeAttribute class

public class CustomAuthorizeAttribute : AuthorizeAttribute
{

}

Then you can configure it however you like.

Also you can take a look at these questions on Stackoverflow:

  1. Custom Authorize Attribute
  2. ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)
Community
  • 1
  • 1
Selman Genç
  • 94,267
  • 13
  • 106
  • 172
  • When the code inside it is _run_ or _checked_? Is there an injection of code wherever is the attribute placed? –  Feb 02 '14 at 15:26
  • There are some methods that you can override like [`OnAuthorization`](http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.onauthorization(v=vs.118).aspx).take a look at [AuthorizeAttribute](http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute_methods(v=vs.118).aspx) methods – Selman Genç Feb 02 '14 at 15:49
  • I don't even know of how to write the code to check for specifics roles into my database from inside the `AuthorizeAttribute`, can you help me please? I've never worked hooking framework methods before. –  Feb 03 '14 at 20:01
  • An alternative to writing a custom AuthorizeAttribute is to create a custom membership provider http://msdn.microsoft.com/en-us/library/f1kyba5e(v=vs.100).aspx . You then configure your app to use your membership provider and the AuthorizeAttribute will work as is. – Kevin Junghans Feb 05 '14 at 13:37
  • @Selman22 - You seem to be confusing Membership with Roles... They are two different things. You don't need to write a custom authorize attribute, nor a custom membership provider. You may need to write a custom role provider. – Erik Funkenbusch Feb 09 '14 at 19:06
0

I ran into the same problem and I used a custom attribute. But my roles weren't as sophisticated. I needed to be able to give multiple roles to a user so I just used a string collection to do that. I used this custom filter

CustomAuthorize(UserRole="AUTHORIZED_ROLE");

 public class CustomAuthorizeAttribute : AuthorizeAttribute
    {
        public string UserRole { get; set; }
        protected IUnitOfWork uow = new UnitOfWork();
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            var isAuthorized = base.AuthorizeCore(httpContext);
            if (!isAuthorized)
            {
                return false;
            }
            var currentUser;//Get Current User 
            if(UserRole==currentUser.Role.Name)
            {
                return true;
            }


        return false;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectToRouteResult(
                    new RouteValueDictionary(
                        new
                        {//redirect where you want to in case of not authorized.
                            controller = "Home",
                            action = "AccessDenied" 
                        })
                    );
    }
Lokesh Suthar
  • 3,153
  • 1
  • 13
  • 28