0

What's the data source Asp.net MVC uses to see if the user is in which role. And how can i change it so that it works with my own database table (when i write [Autorize(Roles="admin")] it checks in the table if the user is in the role )

Younes Ch
  • 325
  • 2
  • 4
  • 14

1 Answers1

4

What's the data source Asp.net MVC uses to see if the user is in which role.

It uses the RoleProvider that is configured in your web.config. If you want to use custom tables you could write a custom role provider by inheriting from the RoleProvider class and implementing the abstract members. The IsUserInRole method is the one that you should always implement because that's what will be used in this case:

public class MyRoleProvider: RoleProvider
{
    public override bool IsUserInRole(string username, string roleName)
    {
        // go and hit your custom datasource to verify if the user 
        // is in the required role and return true or false from this
        // method
        ...
    }
}

Then you could register your custom role provider in web.config in order to replace the default one:

<system.web>
    ...
    <roleManager enabled="true" defaultProvider="MyRoleProvider"> 
        <providers> 
            <add name="MyRoleProvider" type="Mynamespace.MyRoleProvider" /> 
        </providers> 
    </roleManager>
</system.web>

And if you don't want to be using any providers (judging from your previous question that seems to be the case) then you should write a custom Authorize attribute which is not using a role provider at all but is using some custom code of yours:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (!httpContext.User.Identity.IsAuthenticated)
        {
            // no user is authenticated => no need to go any further
            return false;
        }

        // at this stage we have an authenticated user
        string username = httpContext.User.Identity.Name;
        return IsInRole(username, this.Roles);
    }

    private bool static IsInRole(string username, string roles)
    {
        // the username parameter will contain the currently authenticated user
        // the roles parameter will contain the string specified in the attribute
        // (for example "admin")
        // so here go and hit your custom tables and verify if the user is
        // in the required role
        ... 
    }
}

and finally decorate your controller action with this custom attribute instead of relying on the default one which is based on the role provider:

[MyAutorize(Roles = "admin")]
public ActionResult Index()
{
    ...
}
Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • great post, thank you very much, that helps so much, i have 2 weeks looking for this, i have downloaded 3 ebooks about asp.net mvc 4 and i haven't found this, can u tell me when have you learned this (kind of ebook title) – Younes Ch Feb 17 '13 at 14:39
  • 1
    Well, you spent 2 weeks while I have spent 10 years working on line of business applications on the ASP.NET platform. That's how I learned it. – Darin Dimitrov Feb 17 '13 at 14:41
  • the function is gerolesforuser() and not IsUserInRole, I think you need more than 10 years :) – Younes Ch Feb 18 '13 at 08:36
  • Thank you @DarinDimitrov. This is what I have been looking for since past 2 weeks. Finally solved my issue. However, I want to authorize multiple roles on the action method like below. [MyAutorize(Roles = "admin | member")] public ActionResult Index() { ... } How should I use the authorize attribute? – ajexpress Jan 24 '14 at 21:27
  • 2
    @ajexpress, you could always split the string with some separator and then authorize for each of the roles. – Darin Dimitrov Jan 24 '14 at 21:31