4

Don't know if this is an appropriate questions. However, here it goes.

I am currently work on a project for a client, ASP.net 4.5 MVC4 razor. It's basically a web store for their customers who register an account and order products from their catalogs to use at events they put on. Customers have to register for events created by my clients employees to place orders. There is an administrator portal on the site, where they would log in and create, manage and update events, orders, and users. How to do this is not my question. My Question is:

How in the heck should I have the administrators register?! What process have you guys used? I don't think a hard-coded password is good, and I for sure I want to separate it from normal user registration. I plan to use SimpleMembership. I mean an existing administrator could create admin accounts, but what about the first admin account. Chicken or the egg? Does this make sense?

EDIT: I did a fair amount of homework on this, I mean I suppose I could manually add a Admin role in the webpages_Roles and manually add that to the first administrator and have subsequent administrators added that role by an admin but the first couple steps sounds a little hackish.

Amin Saqi
  • 18,549
  • 7
  • 50
  • 70
bigjfunk
  • 57
  • 4

1 Answers1

1

As you say in EDIT part, you should first add an admin account manually. After that, you can simply grant Admin role to any registered user like this:

Roles.AddUserToRole(model.UserName, "Admin");

If you want that your admins be completely separated from other users, you should put a user role to ordinary users, and don't let admins to have this role.

So, simply add the above code in Register action method of AccountController.cs

    [HttpPost]
    [Authorize(Roles="A, Personnels")]
    [ValidateAntiForgeryToken]
    public ActionResult Register(RegisterModel model)
    {
        if (ModelState.IsValid)
        {
            // Attempt to register the user
            try
            {
                WebSecurity.CreateUserAndAccount(model.UserName, model.Password);
                Roles.AddUserToRole(model.UserName, "User"); // Add this line here...
                WebSecurity.Login(model.UserName, model.Password);
                return RedirectToAction("Index", "Home");
            }
            catch (MembershipCreateUserException e)
            {
                ModelState.AddModelError("", ErrorCodeToString(e.StatusCode));
            }
        }

        // If we got this far, something failed, redisplay form
        return View(model);
    }

And take responsibility of creating admin accounts yourself, Or let them register as ordinary users and do the following[First approach is recommended]:

Roles.RemoveUserFromRole(model.UserName, "User");
Roles.AddUserToRole(model.UserName, "Admin");

That was it...

Amin Saqi
  • 18,549
  • 7
  • 50
  • 70
  • Thank you for the thorough response. After thinking about it for a while, I realized there was really no way around manually adding the first user that would be efficient and also not lead to vulnerability. – bigjfunk Aug 11 '13 at 07:56