CODEWITHSUNDEEP
asp.netasp.net-mvc-3
Diin
Diin

Reputation: 585

MVC3 logged in User can see only own stuff apart from Admin

A novice to asp.net and mvc3. I am learning by setting myself challenges/developing an application. I tag all record tables where users interact with ProviderUserKey. Now I want to be able to restrict users logged in to be able to edit or delete their own records only but administrators can edit or delete any. I have been using scaffolding to generate controllers and views etc. for eg code for editing`// POST: /Post/Edit/5

    [HttpPost]
    public ActionResult Edit(PJpost pjpost)
    {
        if (ModelState.IsValid)
        {
            db.Entry(pjpost).State = EntityState.Modified;
            db.SaveChanges();
            return RedirectToAction("Index");
        }
        return View(pjpost);
    }`

Any help will be highly appreciated.

Upvotes: 2

Views: 1412

Answers (2)

Paweł Staniec
Paweł Staniec

Reputation: 3181

If you have a generic Edit method/action and you would like to keep it that way, I would add a method in your controller somethink like ValidateOwnership(record). This method would need to verify if CurrentUser's ID is matching the one on the record and if user is a member of particular role - that can be done with RoleManager class. Method would return true/false. When you got it ready just put the call to the method in your code after ModelState validation. It would look like this

[HttpPost]
public ActionResult Edit(PJpost pjpost)
{
    if (ModelState.IsValid)
    {
      if(IsOwnershipValid(pjpost){
          db.Entry(pjpost).State = EntityState.Modified;
          db.SaveChanges();
          return RedirectToAction("Index");
        }
       else {
           ModelState.AddModelError("ERROR","You're not allowed to do that");
           return View(pjpost);
        }
    }
    return View(pjpost);
}

EDIT : So the OwnershipValidation could look like this :

public bool ValidateOwnership(Pjpost pjpost) { 
    if (pjpost.MemUID == Membership.GetUser().ProviderUserKey.ToString()) 
    { 
    return true; 
    } 
    else 
    { 
    return false; 
    } 
}

I hope this is what you meant.

Upvotes: 2

COLD TOLD
COLD TOLD

Reputation: 13579

You need to look in to user roles and the process of authorization usually, MVC provides a registration and log in in it template including the account controller. To restrict user access you have to assign roles to users.

the code behind it would look something like this.

[Authorize(Roles="admin")]   
public ActionResult admin()
  { 
      //Action gives an admin rights since the user is in the admin role
  return View();     
  } 

[Authorize(Roles="manager")]   
public ActionResult manager()
  { //give a managers rights since user is im managers roles.
  return View();     
  }

Upvotes: 1

Related Questions