Search code examples
c#asp.net-mvc-4entity-framework-4.3asp.net-mvc-areasasp.net-authorization

How to secure MVC4 area for admins from custom SQL "AdminUsers" table

I've seen a number of examples on securing an MVC application with tokens, roleprovider and membershipprovider but none quite fit my scenario. Here's my setup..

  • VS2012 linked to SQL 2008 R2 using EntityFramework 4.3 manage data.
  • Project is setup in IIS for basic authentication so all staff, faculty and students with empID can authenticate internally or externally. Some of these people are admins so they are managed in admin area.
  • I've created an "Admin" area within my project that currently has no security so anyone can type domain/admin and be redirected to that area. This area contains and adminuser (CRUD), appointments (CRUD), settings (U), tools and reports functionality. The adminUser and appointments section have their own table and CRUD is working as expected.

Here's what I'm asking.. How do I validate basic authentication current user against "Admins" from my AdminUsers sql table and then only allow these folks access to my admin area?

Thanks for your time, Chris

Solution

  • If you're not going to rely on membership or roles you could always write a custom implementation of the AuthorizeAttribute that checks the user against the database.

    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AdminOnlyAttribute : AuthorizeAttribute
{
    public AdminOnlyAttribute()
    {
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!User not in Admin table)
        {
          throw new UnauthorizedAccessException();
        }
        base.OnAuthorization(filterContext);
    }
}

    Or something of the sort. Then of course:

    [AdminOnly]
public class AdminController : Controller
{
    // ...
}