CODEWITHSUNDEEP
c#asp.netasp.net-mvcasp.net-identityasp.net-identity-2
Jack
Jack

Reputation: 1

Custom Authorization attribute with ASP.NET Identity

In my MVC5 project, admin can create lessons in a control panel and the lessons are stored in the database (currently there is only 2 lessons for now). On the other hand, I can create some roles for these lessons i.e. CanCreateMathHomework, CanCreateChemistryHomework so that only the teachers of the related lesson can publish homework for the related lesson by using ASP.NET Identity. Until now everything works perfectly and the teachers can publish homework of their lesson.

LessonController: 

[Authorize(Roles = "CanCreateMathHomework")]
public ActionResult CreateMathHw()
{
    //code omitted for brevity
}


[Authorize(Roles = "CanCreateChemistryHomework")]
public ActionResult CreateChemistryHw()
{
    //code omitted for brevity
}

However, I want to create a flexible permission mechanism that let the teachers of the newly created lessons to publish their homeworks without creating the new roles in the database or new Actions in the Controller. What I want to perform is that:

1) Admin will continue to create new lessons and teacher of the lesson then keep them in the database as ever before.

2) Admin give the permission to the teacher of newly created lesson so that he or she will be able to publish hw of his or her lesson as the other teachers.

3) There would be no need to create new Action methods in the Controller and everything should be done without needing the software developer.

But how? Is it possible? If so, can a global role and Action method be used in order to perform this? I am really very confused and any helps would be appreciated. Thanks.

Upvotes: 1

Views: 860

Answers (1)

War
War

Reputation: 8628

Unfortunately Authorize does not work in the way you are describing.

The aspnet identity database however (assuming you have one) will handle creating tables for users, roles, and other such interesting auth info so all you need to do is create joins between those aspnet tables and your "xhomework" tables to link up roles / users to items in other tables.

You can then create a new attribute by deriving from either the existing Authorize attribute or its parents (see here for more details: https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx)

...

This will give you a "filter" that gets applied to the request before the Action is executed allowing you to refuse on your own security terms, by overriding OnAuthorization (see here: https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.onauthorization(v=vs.118).aspx#M:System.Web.Mvc.AuthorizeAttribute.OnAuthorization(System.Web.Mvc.AuthorizationContext))

... from there you simply need a UI to manage the new join tables.

Upvotes: 1

Related Questions