asp.net mvc - MVC Skip Controller Authentication Use Action -


is possible bypass authorization role check on controller, enforce role check on action? i've spent bit of time researching , find shows how implement allowanonymousattribute. i'm using allowanonymousattribute , works great bypassing authorization action. isn't want. have controller requires roles. when particular action requested want skip roles @ controller level , verify user has roles designated on action.

here's code:

[authorize(roles="administrator")] public class memberscontroller : viewapicontroller<memberview> {     // list of actions....      [authorize(roles="apiuser")]             [httppost]     public void autopaypost([frombody] list<autopaymodel> autopaylist)     {         //....     } }

the problem want users 'apiuser' role have access 'autopaypost' action. realize can remove class level authorize attribute, add every action method on controller, minus 'autopaypost' action. avoid because several of controllers inherit base class provides long list of actions require 'administrative' role. because of have override every base action, add authorize attribute overridden method, delegate call base class. work if later decide add functionality base class i'll have remember go memberscontroller , override new methods, add attribute etc...

it great if end result looked this:

[authorize(roles="administrator")] public class memberscontroller : viewapicontroller<memberview> {     // list of actions....      [authorize(roles="apiuser", ignorecontrollerroles=true)]             [httppost]     public void autopaypost([frombody] list<autopaymodel> autopaylist)     {         //....     } }

do this, check if roles/users in roles , deny of them.

public class bypassauthorizeattribute : authorizeattribute {     protected override bool authorizecore(httpcontextbase httpcontext)     {         string[] roles = this.roles.split(',');         string[] users = this.users.split(',');           foreach (var r in roles)         {             if (httpcontext.user.isinrole(r.trim()))                 return false;         }          foreach (var u in users)         {             if (httpcontext.user.identity.name.equals(u))                 return false;         }          return base.authorizecore(httpcontext);     } }

and decore controller/action this:

    [bypassauthorize(roles = "admin,test,testint", users = "tester")]     public actionresult edit(int id = 0)     {         foomodel foomodel = db.foomodels.find(id);         if (foomodel == null)         {             return httpnotfound();         }         return view(foomodel);     }

hope you!


Comments

Post a Comment

Popular posts from this blog

c# - Operator '==' incompatible with operand types 'Guid' and 'Guid' using DynamicExpression.ParseLambda<T, bool> -

i'm using dynamic linq library , there source code , basic docu , nuget version pm> install-package dynamiclinq i'm trying construct clause involves guids i have tried string "id == @0" . parameter array object[] value ( guid xxxx ) var whereclausesb = buildlogicalkeywhereclause2(entity, logicalkey); //build string var parms = buildparamarray(entity, logicalkey); // object[] var wherelambda = ofsi.bos.core.dynamicexpression.parselambda<t, bool>(whereclausesb.tostring(),parms); //parse an exception thrown in dynamicexpression.parselambda operator '==' incompatible operand types 'guid' , 'guid' i have tried guid , string.(fail) i tried , "id = @0" (fail). string == string works, int32==int32 not guid == guid not any ideas? try using equals method instead of == operator in string: "id.equals(@0)"
Read more