Topic: Custom Permissions in .NET using AuthorizeAttribute Web App

[Vlads]

Folks I have simple application were I am trying to implement simple permission functionality on the website. These are the tables I am dealing with.
A Department table that has the roles
And an AppPermissions table

if say ProductEdit has a value of "1", that particular user has permissions to the Product Edit Controller, if "0" no access.. and so forth



my current custom class which is no doubt a bit messy

Code: [Select]

public class AuthorizeGroups : AuthorizeAttribute
    {
        //public string EditPermission = "Allowed Access";

        public string EditPermission { get; set; }

       public class AuthorizeGroups : AuthorizeAttribute
    {
        //public string EditPermission = "Allowed Access";

        public string EditPermission { get; set; }

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            MyDBContext db = new MyDBContext();

            AppPermissions perm = new AppPermissions();
            Department dpt = new Department();

            var isAuthorized = base.AuthorizeCore(httpContext);
            if(!isAuthorized) { return false; }                   
                     
            //we need to get group_id (departmentID) of the permission, of the logged in user from permissions table
            //var pEdit = db.AppPermissions.FirstOrDefault(p => p.DepartmentId == p.Department.DepartmentId).ProductEdit.ToString();
           
            string currentUser = HttpContext.Current.User.Identity.Name.ToString();
            string currentPermission = perm.ProductEdit.ToString();
            string currentUserGroup = dpt.DepartmentName.Contains(currentUser).ToString();

            if (currentPermission == "1" && this.EditPermission.Contains(currentUserGroup))
            {               
                return true;
            }
            else
            {
                return false;
            }                       
        }       
    }

On my Edit Controller I then have the following

Code: [Select]

[AuthorizeGroups(EditPermission = "1")]
        public ActionResult Edit(int? id)
        {

Current result I am getting is that the edit functionality on the web page is restricting that action for all users regardless of whether that permission is 1 or 0. Any help would be appreciated.

[SeanAxion]

Can you not use FormsAuthentication for this? I've always used that in . Net when dealing with user permissions and different levels of access for different roles.

[mattybeard]

Your class paste is a bit weird with duplicated stuff.

What are you getting on step through? Could you not be having a type issue? 1 != "1"

[Vlads]

mattybeard yes you are correct that was one of the issues, it was infact a null value all the way, thats why its restricting all users.
from (after) the line

Code: [Select]

string currentUser = HttpContext.Current.User.Identity.Name.ToString();
I have to call a stored procedure from there that gets the ProductEdit value were DepartmentID = loggedin user DepartmentID.
Its what I am trying to figure out at the moment, as I am using Entity Framework and Postgresql.

 

[WorldChampions]

When they login check their permissions and store them as identity claims. Then you can check this using an action filter on your controller/specific action without an additional DB hit for each request.

http://benfoster.io/blog/asp-net-identity-role-claims


If you are still struggling with this PM me a link to your project if it's on github and I will take a look.