ASP.NET Authorize attribute and Admin user role

Question

Using Authorize attribute i may specify roles which is allowed to access the resources.

[Authorize(Roles="User")]

But if i have admin user which is allowed to go to any resource i need specify this one as well

[Authorize(Roles="User, Administrator")]

But may be there is some way i can say somehow that Administrator allowed to go anywhere and not to specify this one in Authorize attribute?

So i mean if somewhere in code(on controller or on action) would be this [Authorize(Roles="User")] it means that Administrator role allowed to go there as well.

Or may be i may set it to all Authorize roles dynamically how when application start?

Any ideas?

UPDATED:

Currently i have one admin controller with Authorize attribute [Authorize(Role="Administrator")] and i have some actions in some another controllers with attributes [Authorize(Role="User")] so i will need to add "Administrator" there as well if i didn't find better solution.

Answer 1

You need the concept of Static Role and Runtime Role. Here is a simple example:

Your role list and their levels:

• Role: Admin | Level: 1
• Role: Editor | Level: 2
• Role: Viewer | Level: 3

Users and their Static Role (Static Role is the role you assigned to users):

• User: John | Role: Admin
• User: Sam | Role: Editor
• User: Peter | Role: Viewer

At run time you generate a Run Time Role by using Static Role and Role Levels, Users with higher level of roles automatically obtain the roles in lower levels. So, after calculation, the Run Time Roles for these Users will be:

• User: John | Role: Admin, Editor, Viewer
• User: Sam | Role: Editor, Viewer
• User: Peter | Role: Viewer

And then, you can simply use [Authorize(Roles="Viewer")], Users with higher Level of permissions (e.g. John, Sam) can access to it too. Because they must also have the Viewer role at run time.

The point of using Static Role and Run Time Role is that Static Role makes the role assignment easier. And Run time role make the resources authorization easier.

Answer 2

[Authorize(Roles = "User, Admin")]
public class PrestamosController : Controller
{
    // controller details
}

Answer 3

I think this will work for you. Create your own base controller, with the AuthorizeAttribute, then make your other Controllers inherit your base class.

[Authorize(Roles="Admin")]
public class MyFancyController : Controller
{
}

[Authorize(Roles = "TaxPayer")]
public class WizardController : MyFancyController
{
...

This is scary though, in my opinion.

How many controllers/Actions do you have? What if you forget about this later and maybe you have a page you don't want Admins to access?

Will debugging the code become more difficult?

Answer 4

This is what I do: make sure users who are in the "Admin" role are also in the "User" role.

Answer 5

You can create a custom filter and use it to decorate your Actions or Controllers with it. This is a simple structure I've used quite a lot:

public class AuthorizationAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
            filterContext.Result = new HttpUnauthorizedResult();
            return;
        }

        var actionName = filterContext.ActionDescriptor.ActionName; 
        var controllerName = filterContext.Controller.GetType().Name;

        bool isAuthorized =false;

        // Put your logic here !!!!

        if (!isAuthorized)  {
            filterContext.Result = new HttpUnauthorizedResult();        
            return;
        }
    }
}

You can read some more here