Reputation: 180808
Why would I hard-code user permissions in my controller attributes?
I have seen example code that looks like this, which seems perfectly reasonable:
[Authorize(Roles = "Admin, User")]
public class SomeController : Controller
But I have also seen several examples that look like this:
[Authorize(Users = "Charles, Linus")]
public class SomeController : Controller
Why would I ever want to do this? I can't imagine any scenario where I would want to build a system that knows its user names in advance.
Upvotes: 8
Views: 1441
Answers (5)
Reputation: 39833
There are a few legitimate uses of this, and here's one example: If you're building a really simple site, that simply has an admin account and an unauthenticated account, you could do
[Authorize(Users = "Admin")]
This saves you the trouble of bothering to construct roles just for a single user. Think UNIX style, where the root account (uid 0) is special rather than a particular group.
Another example is simply a throw-away application, where you're testing something. There's no reason to bother with roles if you just want to test your authentication page or something like that.
One more reason: testing. You could build a unit test just for your authentication without wanting to unit test your role based framework. (Keep in mind, not everyone is using the default membership provider, and some membership providers are pretty sophisticated.) By creating a hard coded authentication for a test user, you can bypass the roles framework.
Upvotes: 3
Reputation: 9954
I agree with David Pfeffer.
In addition I think you could define a set of users with very specific permissions and jobs inside your app -maybe testing purposes, perhaps perfomance tracking... you will know it when the requirement knock the door ; )-.
Simply a group that is not supposed to be contained in the set of valid users used by your application. : ) -the hardcore way-
Upvotes: 0
Reputation: 37533
A couple of reasons you might consider doing it:
- The application is expected to have a very short lifecycle and no maintenance is required.
- The user(s) in question may not belong to a sufficiently defined group (as in the case of a small business), and there are no expected changes. (still very bad design, but it wouldn't be unheard of)
- You may have several overloads in a small application that require different behaviors for individuals within a group.
In any case it boils down to bad design and you wouldn't want to do it. But the interface is there because it is the simplest level of control.
Upvotes: 0
Reputation: 129423
The only "legitimate" reason to do that I can think of is building a back-door - either for nefarious, or for "future maintenance" purpose. The latter is Bad Juju as it introduces security risk. The former is Bad Juju as well of course :)
Upvotes: 1
Reputation: 9117
You wouldn't, hardcoding users is a bad smell. Roles exist for things like that.
Edit: I believe that, like when .net 1.0 hit with the whole web.config with allow/deny permissions, those are (or atleast SHOULD ONLY be) used as example sauce, even tho I'm into the pile of people that believe that blogs, tutorials and samples should only use good practices.
Upvotes: 1
Related Questions
- How to use the Authorize attribute both at the controller and action level?
- Roles in Authorize Attribute does not work as expected in MVC 4
- Why does ASP.NET MVC use Code Access Security?
- What benefit does your code receive if you decorate it with attributes demanding specific Security permissions?
- ASP.NET MVC Role based Privileges for Controller Actions
- Why are user roles kept separate from user definitions?
- When is it necessary to explicitly place attributes on controllers?
- AuthorizeAttribute with Roles but not hard-coding the Role values
- If all my .Net Controllers/Action need Authorize Attr, Why don't have a attribute to use only those who do not need?
- Setting user roles in controllers?