3

Side note: I am using vs2013 express and have installed nothing else.

I am building an intranet site with the following authentication/authorisation goals:

  • Custom roles using the Roles class
  • No need for logging in, if you are signed into windows, then you're allowed to see the app
  • Be able to use [Authorise(Roles="Admin")] kind of attributes
  • Be able to manage the Users (Create/Delete/List/Edit) from a UserManagement page.

I have been following this: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx

but i'm not sure how to Create / List out the users... this is what I have so far:

I have added a user and assigned him to a role, when i use Membership.GetAllUsers() it returns none

Web.config bits:

<authentication mode="Windows"></authentication>

<authorization>
  <deny users="?" />
</authorization>

<roleManager enabled="true" defaultProvider="SqlRoleManager">
  <providers>
    <clear/>

    <add name="SqlRoleManager"
         type="System.Web.Security.SqlRoleProvider"
         connectionStringName="EFDbContext"
         applicationName="TEST" />

  </providers>
</roleManager>

<membership defaultProvider="SqlProvider"
  userIsOnlineTimeWindow="15">
  <providers>
    <add
      name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="EFDbContext"
      applicationName="TEST"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="true"
      requiresUniqueEmail="false"
      passwordFormat="Hashed"
      maxInvalidPasswordAttempts="5"
      passwordAttemptWindow="10" />
  </providers>
</membership>

I added my first user in Global.asax like this:

        if(!Roles.RoleExists("Admin"))
        { 
            Roles.CreateRole("Admin");
            Roles.AddUserToRole(@"JIMMYT1988\jimmyt1988", "Admin");
        }

The user and role is working because if I block access to Admin, I'm allowed in.. whereas if I created the user without adding the role, he wasn't allowed access... so that's all good and working.

this is me blocking access to only role of Admin:

[Authorize(Roles = "Admin")]
public class UserController : Controller
{
    private IUserRepository repository;

    public UserController(IUserRepository repo)
    {
        repository = repo;
    }

    public PartialViewResult List()
    {
        IEnumerable<User> users = repository.Users;

        UserListViewModel viewModel = new UserListViewModel();
        viewModel.Users = users;
        viewModel.TotalUsers = Membership.GetNumberOfUsersOnline().ToString();

        return PartialView(viewModel);
    }
}

So I am assuming the user and role of admin are working correctly and I can see the entires in the database... The above controller is part of an abstract -> concrete mapping for specifically membershipprovider users... but I have debugged on the GetAllUsers line and that actually returns the empty list, it's not the mapping going wrong.

Finally I call this:

            MembershipUserCollection users = Membership.GetAllUsers();

which returns no users.

Any idea?

enter image description here

Jimmyt1988
  • 20,466
  • 41
  • 133
  • 233
  • 1
    Why does this question have a down vote? Can I add more information? I'm pretty new to C# etc. – Jimmyt1988 Dec 19 '13 at 10:54
  • The user "JIMMYT1988\jimmyt1988" exists? – alexmac Dec 19 '13 at 10:55
  • I've added a bit more to my OP that says why I made the assumption that the user does indeed exist. – Jimmyt1988 Dec 19 '13 at 10:56
  • Sorry, but i don't see how you are creating a user. You wrote: 'I added my first user in Global.asax like this:', but you have added a role, not a user. You should check current roles and users from ASP.NET Configuration (Visual Studio -> Project -> ASP.NET Configuration). – alexmac Dec 19 '13 at 11:02
  • Roles.AddUserToRole(@"JIMMYT1988\jimmyt1988", "Admin"); It seems to add a User and then assigns that user to a role thereafter. I see the entry in my database for my user. finally my users/membership will be dealt with inside SQL... along the same lines of this chaps example: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx – Jimmyt1988 Dec 19 '13 at 11:05
  • Roles.AddUserToRole don't create the user, it's only add the role for already existing user. I don't know how do you added record in aspnet_Users. Also, check the table aspnet_Membership, there is should be one record related to aspnet_Users. – alexmac Dec 19 '13 at 11:19
  • Having had a thought about what I want to do (thanks for your comment btw), I guess the big question is: How do I go about creating a user that doesn't need a password and yet still be able to list the users out? We're talking intranet application here. – Jimmyt1988 Dec 19 '13 at 12:09

1 Answers1

0

First you need to create your user using the static Membership.CreateUser method:

MembershipUser newUser = Membership.CreateUser(@"JIMMYT1988\jimmyt1988", "password");

And then you can add that user to the role.

Regarding your comment:

How do I go about creating a user that doesn't need a password and yet still be able to list the users out?

I'm not positive, but I think you can set the password related Membership properties to have "0" be the "required length" of a password.

You can add this to the membership section of your web.config:

minRequiredPasswordLength="0"
Josh Darnell
  • 11,304
  • 9
  • 38
  • 66
  • minRequiredPasswordLength unfortunately did not work with 0. "Additional information: The password supplied is invalid. Passwords must conform to the password strength requirements configured for the default provider." – Jimmyt1988 Jan 02 '14 at 14:49