I am working with a permission based authorization system for my app in ASP.NET MVC.
For this I have created a custom authorization attribute
public class MyAuthorizationAttribute : AuthorizeAttribute
{
string Roles {get; set;}
string Permission {get; set;}
}
so that I can authorize a user by both role or a specific permission key with annotation for actions like
public class UserController : Controller
{
[MyAuthorization(Roles="ADMIN", Permissions="USER_ADD")]
public ActionResult Add()
[MyAuthorization(Roles="ADMIN", Permissions="USER_EDIT")]
public ActionResult Edit()
[MyAuthorization(Roles="ADMIN", Permissions="USER_DELETE")]
public ActionResult Delete()
}
then I override AuthorizeCore() method in MyAuthorizationAttribute class with similar logic(pseudo code)
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if(user not authenticated)
return false;
if(user has any role of Roles)
return true;
if(user has any permission of Permissions)
return true;
return false;
}
Up to this is working fine.
Now I need some sort of extension methods so that I can dynamically generate action url in view pages that will return action url based on MyAuthorization attribute authorization logic for the given action. Like
@Url.MyAuthorizedAction("Add", "User")
will return url to "User/Add" if user has admin role or has permission of "USER_ADD" (as defined in attributes for the action) or return empty string otherwise.
But after searching in internet for few days I could not figure it out. :(
So far I have found only this "Security aware" action link? which works by executing all action filters for the action until it fails.
It's nice, but I think it would be an overhead to execute all the action filters for each time I call the MyAuthorizedAction() method. Besides It also didn't work with my version (MVC 4 and .NET 4.5)
What all I need is to check authenticated user's role, permissions (will be stored in session) against authorized role and permission for the given action. Like something as following (pseudo code)
MyAuthorizedAction(string actionName, string controllerName)
{
ActionObject action = SomeUnknownClass.getAction(actionName, controllerName)
MyAuthorizationAttribute attr = action.returnsAnnationAttributes()
if(user roles contains any in attr.Roles
or
user permissions contains any attr.Permissions)
{
return url to action
}
return empty string
}
I am searching the solution of getting action attributes value for quite a long time, could not find enough good resources at all. Am I missing out right keywords? :/
If anyone can provide me the solution that would be truly a great help.
Thanks in advance for the solutions
See Question&Answers more detail:
os