Reputation:
Role base access on UI controls in ASP.NET MVC
I am building an application where same page can be visited by multiple user of different roles, for example
- Administrator can update all fields
- Initiator can insert data in all controls of the page except comments box
- Reviewer can only insert data in comments box
- Guide can only read data on the screen, no access to update anything on screen
Only thing that came in my mind so far is that I should make custom Html helpers where I will accept role as a parameter and check the role and accordingly add disable or enable classes to the control. Application will have hundreds of pages, but some pages might have different access to different roles. Please provide a solution where I can achieve this specific page & role base access control and without much compromising with performance.
Any help or suggestion will be appreciated. Thank you.
Upvotes: 1
Views: 1186
Answers (2)
Reputation: 41
I faced the same issue and after a lot of search i didn't find any simple way so i try to find my way
1- after we create the user we put this user in a group this group has permission for the pages and the buttons inside every single page in the system
2- users have two permission types:
a- Master user: have full access to the system pages and buttons
b- Normal user: have limited access to pages and buttons inside the page
3- in my HTML view first thing I do is find all buttons in the view
using var buttons = document.getElementsByTagName('button');
in this way, i collect all buttons
then in $(document).ready() function i do my job using ajax like this
$.ajax({
url: '@Url.Action(MyFunction, ControllerName)',
method: 'GET',
success: function (data) {
for (var i = 0; i < buttons.length; i++) {
var button = buttons[i];
var name = button.getAttribute('name');
if (name == "Add" && data.AddPer == 0) {
$("#" + button.getAttribute('id')).addClass("disabled");
}
else if (name == "Print" && data.PrintPer == 0) {
$("#" + button.getAttribute('id')).addClass("disabled");
} else if (name == "Edit" && data.EditPer == 0) {
$("#" + button.getAttribute('id')).addClass("disabled");
}
}
},
error: function () {
// Handle errors if needed
}
});
what I am doing is after I collect all buttons I get my permission from my database and give the button's name then in my for loop i try to know if this button is Add button and the user have permission for this button or not if not I add class disabled for this button else I don't do any thing for the button
Note: give your buttons a name like I do
I want to say I can customize my solution and make it in a separate javascript file and call it inside your HTML View and pass the parameter you need.
Upvotes: 0
Reputation: 4212
Do you really want to hide the controls that a user is not authorized to update?
Or simply show unauthorized error (return new HttpUnauthorizedResult();) when they hit the save/update button. If you prefer the latter, here is one way of doing this:
- Your razor views will not use any authorization code.
- Create a group/role something like "All Authorized X app"
- Create groups/roles for individual functions, like "X Administrators", "X Initiators", "X Reviewers" and "X Guides"
- Add all groups/roles in third bullet into the second one
- Decorate your controllers like
[Authorize ("Roles="All Authorized X app")] - Within your save/update actions, use
if(User.IsInRole("X Administrators"))orif(User.IsInRole("X Reviewer"))
Upvotes: 1
Related Questions
- Implement Role Based Security in MVC 4
- How to Show or hide controls based on roles - ASP.NET MVC 4 Razor
- Role based controller access
- Asp.net mvc role based authentication
- Role based security asp.net mvc
- Restricted access for usercontrol by role
- asp.net MVC role based access to controller
- Role Base Access Control in asp.net application
- Implementing access control in ASP.NET MVC 3
- Access control in a ASP.MVC application