1

I have an Asp.Net MVC 5 application. I want to use user roles to authorize only some people to use a specific action. I've changed my Web.config file like this:

<roleManager enabled="true"/>
<membership defaultProvider="SimpleMembershipProvider">
  <providers>
    <clear/>
    <add name="SimpleMembershipProvider" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
  </providers>
</membership>

This is how I add users to roles:

if (!await Roles.RoleExists(role))
    await Roles.CreateRole(new Role(role));
await Roles.AddUserToRole(role, user.Id);

Currently I am able to access the roles for a user through code using something like this:

    public static async Task<IEnumerable<string>> GetUserRoles(string username)
    {
        if (string.IsNullOrEmpty(username))
            return new string[0];
        string userId = await Logins.GetUserId(IdentityConfig.LocalLoginProvider, username);
        var roles = await Roles.GetRolesForUser(userId);
        return roles;
    }

However, when I try to use the Authorize attribute to access the roles, the page will get stuck and nothing loads.

[Authorize(Roles = "Admin")]
public ActionResult Index()
{
    return View(db.Restaurants.ToList());
}

What am I doing wrong here?

Update:

After a while the webpage will show this error:

Asp.Net error page

Community
  • 1
  • 1
Alireza Noori
  • 14,961
  • 30
  • 95
  • 179
  • it's pretty clear about the problem. The database instance was not found. Check your connection string. – Erik Funkenbusch Sep 17 '13 at 22:50
  • @MystereMan I can use my database in any other case. How is it possible that the database is working but not found when trying with `AtuthorizeAttribute`? – Alireza Noori Sep 18 '13 at 05:06
  • Since you haven't included any information about your database, how exactly would I know? – Erik Funkenbusch Sep 18 '13 at 05:32
  • @MystereMan I appreciate your help but I explicitly have mentioned that I am able to access my roles through code but I get the error only when I try to use the attribute. Please kindly read the question fully again. Thanks. – Alireza Noori Sep 18 '13 at 05:38
  • You can say it all you like, but without providing information on how you're connecting to your database, nobody can tell you what you're doing wrong. – Erik Funkenbusch Sep 18 '13 at 05:43

3 Answers3

2

You cannot really mix the old membership/roles with the new identity system. You need to pick one or the other. The authorize attribute should work fine assuming you added the user to the admin role via the new identity apis.

At the bottom, this article demonstrates roles Mvc5 tutorial

Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • I read the whole tutorial. It's not doing anything other than what I posted here. – Alireza Noori Sep 17 '13 at 21:40
  • I'm using the [Authorize] attribute everywhere with the new Identity system, and it appears to be working properly. What am I missing? – Leonardo Herrera Sep 18 '13 at 06:55
  • The authorize attribute works against ClaimsPrincipal.IsInRole which is not really specific for the new identity system. – Hao Kung Sep 23 '13 at 17:48
  • @HaoKung That article does not include a section talking about roles(?). The last paragraph is the only place where it mentions roles and that has a link to a tutorial for azure. Perhaps you copy pasted the wrong link? Where can I find the most up-to-date article/doc/sampleapp on roles? Thanks – PussInBoots Nov 06 '13 at 12:59
  • The Mvc5 tutorial, at the bottom, links to the [Azure tutorial](http://www.windowsazure.com/en-us/develop/net/tutorials/web-site-with-sql-database/#mbrDB) where the latter demonstrates roles and Authorize Attribute. @Alireza the latter suggests naming roles by action permitted, e.g. CanEdit or Editor, rather than by name, e.g. Admin or SuperUser. – subsci Dec 18 '13 at 07:34
1

I had the same problem, it has nothing to do with your connection string. Add the following to your web.config:

Here's the answer: http://blog.luppes.com/2013/12/08/mvc5-authentication-roles-failure/

Mikejh99
  • 378
  • 5
  • 12
0

As of ASP.NET 4.5.1/VS2013, MVC as of MVC5 is no longer a separate product, but is now completely integrated into ASP.NET. This is part of Microsoft's new One ASP.NET strategy.

In addition to this, Microsoft has developed a new kind of identity management system called the ASP.NET Identity, which does not use the legacy membership system.

Basically, if you want to use the old membership system, you need to use MVC4 or earlier. If you want to use ASP.NET Identity, then MVC5.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291