1

I have an ASP.NET MVC application which has two controllers - one will be used for all registered users (thus only users held within the User table in the database can access this controller) and another for admins (an admin is determined by a True value in the Admin attribute within the User table).

Just to clarify, the User table has four attributes:
ID (int) - this is the same ID as the user's Windows ID
Forename (nvarchar)
Surname (nvarchar)
Admin (bit)

I've did a bit of research around this although have failed to understand which route I should take. Within ASP.NET MVC4 what would be the best approach to restricting access based on if a user is an Admin or not? And also to restrict access to the general controller to users which have their ID stored within the database?

Any help would be greatly appreciated. Thanks.

Martin
  • 33
  • 6

1 Answers1

0

It would be MUCH easier to put all your admins in an AD group. Then you can just use the authorize attribute - http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

But if you need to use this "user table" then I think that you will have to put an if statement into every controller method. Something like this:

string username = User.Identity.Name;
bool isadmin = select admin from db where user == username;
if(isadmin)
{
return View();
}
else
{
return HttpNotFound();
}
abiNerd
  • 1,976
  • 1
  • 18
  • 22
  • Thanks for your reply abiNerd! This is a solution I should have researched more, I did not know much about AD as I'm still learning. Would it be possible to partly manage the AD through the app? i.e. if a user was being granted admin access would c# code be available to add this member to the AD group? Many thanks – Martin Oct 01 '14 at 15:27
  • Yes it is possible - http://stackoverflow.com/questions/2143052/adding-and-removing-users-from-active-directory-groups-in-net – abiNerd Oct 02 '14 at 07:28