CODEWITHSUNDEEP
asp.net-mvc-3authenticationauthorization
Turkdogan Tasdelen
Turkdogan Tasdelen

Reputation: 898

Override/Disable Authorization in ASP.NET MVC 3

I wondered if it is possible to disable/override all authorization attributes.

On the development machine, Active directory organization is completely different from production environment's. When I develop/test on development environment I have to "remove" all authorization attributes.

Different types of active directory groups (in Authorize attribute) are used in controller action methods.

[Authorize]
...

[Authorize(Roles="domain\HR")]
...

[Authorize(Roles="domain\IT")]
...

Thanks in advance..

Upvotes: 8

Views: 5445

Answers (3)

Yashwant Shukla
Yashwant Shukla

Reputation: 37

You can simply add #if like below.

#if !DEBUG
[Authorize]
#endif
public class AccountController : BaseApiController
{

Upvotes: 2

Sergii Kudriavtsev
Sergii Kudriavtsev

Reputation: 10532

I'd do the following:

  1. Write custom authorization attribute which will work as default in Release and always allow action in Debug, i.e. 

    public class MyAuthorizeAttribute: AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        #if DEBUG
        return true;
        #else
        return base.AuthorizeCore(httpContext);
        #endif
    }
}

  2. Replace all existing Authorize attributes in code with your own, i.e.

    [MyAuthorize]
...

[MyAuthorize(Roles="domain\HR")]
...

[MyAuthorize(Roles="domain\IT")]
...

  3. Always develop in Debug mode and publish in Release mode

If you don't wish to be bound to Debug/Release thing you can specify your own conditional compilation symbol in project configuration - for example, DEVTEST and replace DEBUG with DEVTEST in step 1 code.

Upvotes: 13

Iridio
Iridio

Reputation: 9271

Instead of overriding the AuthorizeAttribute have you considered to implement your own? You can create your attribute and handle the logic for the validation.

Something similar to this:

public class AuthorizeRolesAttribute : ActionFilterAttribute
{
  public UserProfileRole[] Roles { get; set; }

  public override void OnActionExecuting(ActionExecutingContext filterContext)
  {
    var profile = ((ETMembershipUser)Membership.GetUser()).Profile;
    if (profile != null)
    {
      foreach (UserProfileRole role in Roles)
      {
        if (role == profile.Role)
          return;
      }
    }
    //throw new SecurityException("You can not access this page");
    RouteValueDictionary redirectTargetDictionary = new RouteValueDictionary();
    redirectTargetDictionary.Add("action", "Index");
    redirectTargetDictionary.Add("controller", "Home");
    filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary);
  }
}

Upvotes: 0

Related Questions