1

My View uses @Html.Action(…) to reflect various functional blocks. In opening the page, the site shows Authorization dialog box for users that do not have role pointed in controller method. (e.g. “manager” or “caller”) On pressing “cancel” get: 401 - Unauthorized: Access is denied due to invalid credentials. May I achieve changes of my application behavior in case a user has no required roles, @Html.Action is ignored or nothing is shown?

My VIew: 

@model InApp.ViewModel.ListViewModel
@{
    Layout = "~/Views/Shared/_Layout.cshtml";
}
<div id="CallList">
@Html.Action("List","Call",new {id=Model.id})
</div>

<div class="Order">
@Html.Action("Create","Order",new {id=Model.id})
</div>

Controllers:

[Authorize(Roles = "manager, caller")] //if a user is not 'manager' or 'caller'
public PartialViewResult List()        // nothing is shown
{
  //...private 
  return PartialView();
}

[Authorize(Roles = "manager, admin")]
public PartialViewResultCreate()
{
  //...private 
  return PartialView();
}

Trying to find the correct solution I have found similar questions:

Ignore @Html.Action() if user not in Role and asp.net MVC3 razor: display actionlink based on user role But I do not like “if” condition in my View. I am looking for a complex solution to hide and show separate parts using only AuthorizeAttribute and to avoid if – else in View or Controller. Thanks for any help!

Community
  • 1
  • 1
  • Maybe you can move those links (@html.actions on your view) to their respective partial views, if you're trying to avoid if statements altogether. – nocturns2 Nov 30 '13 at 22:06

2 Answers2

4

I can suggest using this extension method:

This is a wrapper for @Html.Action which checks the user rights by using reflection.

public static  MvcHtmlString ActionBaseRole(this HtmlHelper value, string actionName, string controllerName, object routeValues , IPrincipal user)
 {     
   bool userHasRequeredRole = false;
   Type t = Type.GetType((string.Format("MyProject.Controllers.{0}Controller",controllerName))); // MyProject.Controllers... replace on you namespace
   MethodInfo method = t.GetMethod(actionName);
   var attr = (method.GetCustomAttribute(typeof(AuthorizeAttribute), true) as AuthorizeAttribute);
   if (attr != null)
   {
      string[] methodRequeredRoles = attr.Roles.Split(',');
      userHasRequeredRole = methodRequeredRoles.Any(r => user.IsInRole(r.Trim())); // user roles check in depends on implementation authorization in you site  
                                                                                            // In a simple version that might look like                                                                         
   }
   else userHasRequeredRole = true; //method don't have Authorize Attribute
   return userHasRequeredRole ? value.Action(actionName, controllerName, routeValues) : MvcHtmlString.Empty; 
 }

Using in view:

@Html.ActionBaseRole("List","Call",new {id=Model.id},User)
Ilya Sulimanov
  • 7,636
  • 6
  • 47
  • 68
0

If you do not like this logic in the view - move it somewhere else. For example you can make your own extension method and use it like @Html.ActionOrNothing(...).

And the implementation should check if user has permissing to view something and return an empty string/view otherwise.

Aleksei Poliakov
  • 1,322
  • 1
  • 14
  • 27