Reputation: 4528
MVC Manage users access to specific controllers
We're busy porting a legacy ASP.NET web forms application to MVC. Some modules are finished with their valid Authorize attributes correctly set up, but only 1 module is going live.
So we must prevent the user from navigating to different modules (which are there, but not "live" yet). We don't want to meddle with the existing Authorize attributes, but users are currently not allowing access to these modules.
Here are my thoughts and shortfalls:
In
Global.asaxsubscribe toApplication_AuthenticateRequestand have a list of "Live" controllers, check the Request URL and throw and redirect to "Not Authorized page" if necessary. But how then I would would have to manually take routing into account where the URL maymysite/could route tomysite/Foo/Bar/.Could the traditional
web.configauthorizationbe used for this scenario? (This would be easier to maintain than number 1, but the web is littered with Don't do this in MVC's)
Something like this, where Customer is the controller:
<location path="Customer">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
- Alternatively take the plunge, comment out ALL the
Authorizeattributes from the controllers which aren't live :( hoping not to go down this route...
Any push in a better direction would be greatly appreciated.
Upvotes: 1
Views: 729
Answers (1)
Reputation: 2191
You could use the asp.net mvc filter on this case.
public class YourCustomFilter : IFilterProvider
{
public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
{
List<Filter> result = new List<Filter>();
var routeData = controllerContext.HttpContext.Request.RequestContext.RouteData;
var controller = routeData.GetRequiredString("controller");
var action = routeData.GetRequiredString("action");
if (controller != "livecontrollername" && action != "liveactionname")
{
result.Add(new Filter(new YourCustomAuthorizeAttribute(), FilterScope.Global, null));
}
return result;
}
}
public class YourCustomAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
//Do something to prevent user from accessing the controller here
}
Then register this custom filter in Global.ascx, App_Start:
protected void Application_Start()
{
FilterProviders.Providers.Add(new YourCustomFilter());
}
Upvotes: 1
Related Questions
- Role based controller access
- ASP.NET MVC User based Privileges for Controller Actions
- Authorizing access to controller based on user claims
- ASP.net MVC - Authorize controller for one user/role but all users for one action
- How to assign specific users to specific controllers
- Authorize a mvc4 controller based on a particular role
- How to make some actions (pages) in the controller accessed only by certain members ? (asp.net-MVC)
- Limiting access to MVC controllers
- asp.net MVC role based access to controller
- Securing controllers in ASP.NET MVC to the correct user