1

May be there are many dublicates of this question. But I ignored default membership of MVC and use my custom login with cookies. That is why can not create Custom Authorize Attribute like in samples. I have User model like this:

public class MyUserModel
{
 public string Id{ get; set; }
 public string UserName { get; set; }
 public string Password { get; set; }
 public bool RememberMe { get; set; }
 public bool RoleId { get; set; }
}

Here is my LogIn action:

[HttpPost]
public ActionResult LogIn(MyUserModel model)
{
    if ((Request.Browser.Cookies))
       {
        if ((Request.Cookies["UserInfo"] == null))
         {
          if (model.RememberMe)
           {                           
            Response.Cookies["UserInfo"].Expires = DateTime.Now.AddDays(30);
           }
           else
           {
            Response.Cookies["UserInfo"].Expires = DateTime.Now.AddMinutes(Session.Timeout);
            }
              Response.Cookies["UserInfo"]["UserName"] = model.UserName;
              Response.Cookies["UserInfo"]["Password"] = model.Password;
              Response.Cookies["UserInfo"]["Id"] = model.Id.ToString();
            }                    
            else
            {
              Response.Cookies["UserInfo"]["UserName"] = model.UserName;
              Response.Cookies["UserInfo"]["Password"] = model.Password;
              Response.Cookies["UserInfo"]["Id"] = model.Id.ToString();
            }
         }
 return RedirectToAction("Index", "Home");
}

I need to create Custom Authorize Attribute by RoleId. By the way, I have methods as bool UserInRole(roleId), bool IsUserAuthenticated() is ready.

Sorry for bad English.

Jeyhun Rahimov
  • 3,769
  • 6
  • 47
  • 90
  • 1
    What's the point of having RoleId in your LogOn model? The user could put anything he wants in this field when posting the form. Where are you persisting your user profile information? Are you using some storage on the server? – Darin Dimitrov Jan 29 '13 at 07:22
  • When User register or log in, RoleId is hidden. I set value 1 or 100 (user or admin) when user register in MyService.SaveUser(MyUserModelEntity) method – Jeyhun Rahimov Jan 29 '13 at 07:40
  • What do you mean by hidden? Where do you set its value? By hidden I hope you don't mean hidden field. – Darin Dimitrov Jan 29 '13 at 09:46
  • In view: @Html.Hidden("RoleId"). And I set it's value when save a user data. – Jeyhun Rahimov Jan 29 '13 at 11:38
  • And what would prevent the user from modifying the value in this hidden field and submitting whatever value he wants? It's an absolutely trivial task with FireBug. – Darin Dimitrov Jan 29 '13 at 11:39
  • In business side, only 1 admin can set value to RoleId. Firstly I check username and password for Admin, if user is Admin then I let to edit his RoleId. But generally you are right. I will separate UserModel and LogOn model. Now I check the following video to create custom authorize. – Jeyhun Rahimov Jan 29 '13 at 11:50
  • This tutorial is great.You can learn custom authorize clearly on this video. http://www.youtube.com/watch?feature=player_embedded&v=BsxUsyMSGeA – Besim Erşahin Jan 29 '13 at 08:25

0 Answers0