ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)

chatura

I need to control the access to views based on users privilege levels (there are no roles, only privilege levels for CRUD operation levels assigned to users) in my MVC 4 application.

As an example; below the AuthorizeUser will be my custom attribute and I need to use it like this:

[AuthorizeUser(AccessLevels="Read Invoice, Update Invoice")]
public ActionResult UpdateInvoice(int invoiceId)
{
   // some code...
   return View();
}


[AuthorizeUser(AccessLevels="Create Invoice")]
public ActionResult CreateNewInvoice()
{
  // some code...
  return View();
}


[AuthorizeUser(AccessLevels="Delete Invoice")]
public ActionResult DeleteInvoice(int invoiceId)
{
  // some code...
  return View();
}

Is it possible to do it this way?

chatura

I could do this with a custom attribute as follows.

[AuthorizeUser(AccessLevel = "Create")]
public ActionResult CreateNewInvoice()
{
    //...
    return View();
}

Custom Attribute class as follows.

public class AuthorizeUserAttribute : AuthorizeAttribute
{
    // Custom property
    public string AccessLevel { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {                
            return false;
        }

        string privilegeLevels = string.Join("", GetUserRights(httpContext.User.Identity.Name.ToString())); // Call another method to get rights of the user from DB

        return privilegeLevels.Contains(this.AccessLevel);           
    }
}

You can redirect an unauthorised user in your custom AuthorisationAttribute by overriding the HandleUnauthorizedRequest method:

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                    new
                        { 
                            controller = "Error", 
                            action = "Unauthorised" 
                        })
                );
}

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Custom Authorize Attribute on asp.net mvc

Regarding Authorize attribute usage in ASP.Net MVC 4

Roles in Authorize Attribute does not work as expected in MVC 4

Custom Authorize Attribute not working asp.net

Custom Authorize attribute - ASP .NET Core 2.2

Asp.Net Core Identity - Authorize attribute with roles and caching?

Dynamically add roles to authorize attribute for controller in ASP.NET 5

Generic Authorize Attribute multiple Roles ASP.NET Core

How to create a custom attribute that will redirect to Login if it returns false, similar to the Authorize attribute - ASP.NET MVC

ASP.NET MVC Authorize user with many roles

ASP .Net MVC 4 Authorize and AllowAnonymous

Adding custom roles to windows roles in ASP.NET MVC 5

ASP.NET MVC 4 Custom Authorize filter on Controller class and Method

Asp.net Core MVC Authorize Attribute not blocking

Using the Authorize Attribute with Custom Cookie Authentication in ASP.NET Core

How to create a Custom Authorize Attribute by comparing User Id stored in table with Current User Id in Asp.net MVC 5?

Asp.Net MVC 5 - Custom Authorize not working?

Asp.Net MVC authorize a custom user which extends ApplicationUser

Custom middleware (or authorize) for specific route in ASP .NET Core 3.1 MVC

asp.net authorize by default (without [Authorize])

Authorize with a specific scheme in ASP.NET MVC 4

`[Authorize(Roles = "admin")]` Infinite loop ASP.NET MVC and Azure Active Directory B2C

Custom Role Provider with ASP.net MVC -- Changing Roles

Custom user authorization based with roles in asp.net mvc

Authorize Attribute with Multiple Roles

Authorize in ASP mvc4

MVC Authorize Attribute Work without Loging off

C# ASP.NET Identity 2 (.NET Framework MVC) - Using permission AND roles

ASP.Net MVC 4 Custom Validation attribute isValid is called twice