Search code examples
asp.net-mvcasp.net-identityclaims-based-identity

ASP.Net MVC:How to attach claim permission to action like roles

reading article on roles and claim with identity and still many things is not figured out. so very much curious to know how user access right is implemented when we will be using identity with claims.

when we use role then we decorate action with single or multiple role names. if user has that role then user can access that action otherwise not like below code.

[AuthLog(Roles = "Manager")]
public ActionResult Create()
{
    var Product = new ProductMaster();
    return View(Product);
}

i guess when we work with identity and claims then there must some way to attach role or permission to each action like role. if anything such exist then please share the idea how to implement this with good example code or provide article links. thanks

Solution

  • This is custom made Authorize which checks permission from database. For example you have 3 bools for permission Account,Clients,Configuration and you want to restrict user based on them than place following line on actionresult

    you can add even two permission on one action, for example you have a method which can be accessed by Account and Client permission than you can add following line

    [PermissionBasedAuthorize("Client, Account")]

    This method below is which check the bools from database.

    public class PermissionBasedAuthorize : AuthorizeAttribute
{
    private List<string> screen { get; set; }

    public PermissionBasedAuthorize(string ScreenNames)
    {
        if (!string.IsNullOrEmpty(ScreenNames))
            screen = ScreenNames.Split(',').ToList();
    }

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        base.OnAuthorization(actionContext);
        var UserId = HttpContext.Current.User.Identity.GetUserId();
        ApplicationContext db = new ApplicationContext();

        var Permissions = db.Permissions.Find(UserId);

        if (screen == null || screen.Count() == 0)
        {
            actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
        }

        bool IsAllowed = false;

        foreach (var item in screen)
            foreach (var property in Permissions.GetType().GetProperties())
            {
                if (property.Name.ToLower().Equals(item.ToLower()))
                {
                    bool Value = (bool)property.GetValue(Permissions, null);
                    if (Value)
                    {
                        IsAllowed = true;
                    }
                    break;
                }
            }

        if (!IsAllowed)
        {
            actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
        }
    }
}