Disable Input Fields in MVC View on Role Based Authorization using ASP.net Identity

Question

I have overridden AuthorizeAttribute class for role based authorization in our MVC application.

[HttpPOST]    
[CustomAuthorize(Roles = "AddCOA")]
public ActionResult Edit([Bind(Include = "N100,S104,S103,S101,S1,S100,D1")] TrM trM)
{
    if (ModelState.IsValid)
    {
        db.Entry(trM).State = EntityState.Modified;
        db.SaveChanges();
        return RedirectToAction("View",trM);
    }
    return View(trM);
}

I am calling this controller method from view with a list of Vouchers. Now I have to disable the Edit ActionLink button in view for a certain role, how can I achieve this?

@Html.Actionlink("Edit", "Edit", "Controller", new{@class = "btn btn-success"})

For now it automatically redirects the view to login page.

can you show your ``CustomAuthorize`` filter code as well? – Ehsan Sajjad Aug 08 '15 at 06:59 — Ehsan Sajjad, Aug 08 '15 at 06:59

score 4 · Accepted Answer · answered Aug 08 '15 at 06:47

You can use razor to check if current user is in the specified role or not:

@if (User.IsInRole("AddCOA"))
{
    @Html.Actionlink("Edit", "Edit", "Controller", new { @class = "btn btn-success" })
}
else
{
    @Html.Actionlink("Edit", "Edit", "Controller", new { @class = "btn btn-success disbled" })
}

Ehsan Sajjad · Answer 2 · 2015-08-08T07:06:39.420

Way 1:

You can handle it on Server Side using your custom ActionLink Extension which checks if display edit link to user on base of role:

public static class LinkExtensions
{

   public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName)
    {
        return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, new RouteValueDictionary(), new RouteValueDictionary());
    }

    public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, object routeValues)
    {
        return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, new RouteValueDictionary(routeValues), new RouteValueDictionary());
    }

    public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName)
    {
        return htmlHelper.ActionLinkAuthorized(linkText, actionName, controllerName, new RouteValueDictionary(), new RouteValueDictionary());
    }

    public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, RouteValueDictionary routeValues)
    {
        return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, routeValues, new RouteValueDictionary());
    }

    public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, object routeValues, object htmlAttributes)
    {
        return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, new RouteValueDictionary(routeValues), new RouteValueDictionary(htmlAttributes));
    }

    public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, RouteValueDictionary routeValues, IDictionary<string, object> htmlAttributes)
    {
        return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, routeValues, htmlAttributes);
    }

    public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName, object routeValues, object htmlAttributes)
    {
        return htmlHelper.ActionLinkAuthorized(linkText, actionName, controllerName, new RouteValueDictionary(routeValues), new RouteValueDictionary(htmlAttributes));
    }
   public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName, RouteValueDictionary routeValues, IDictionary<string, object> htmlAttributes)
   {
       if (UserInRole())   // your business logic here for role check
       {
          return htmlHelper.ActionLink(linkText, actionName, controllerName, routeValues, htmlAttributes);
       }

       return MvcHtmlString.Empty;
   }
}

and use it in View:

@Html.ActionLinkAuthorized("Edit", "Edit", "Controller", new{@class = "btn btn-success"})

Way 2:

you can modify your custom attribute code to redirect to page which displays user that he/she is unauthorized to view this page:

public class AuthorizationAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            string actionName = filterContext.ActionDescriptor.ActionName;
            string controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;



            if (!AllowedToAccess()) // if not in specific role show page with message that user is unauthorized to view this page
            {
                string redirectUrl = string.Format("?returnUrl={0}", filterContext.HttpContext.Request.Url.PathAndQuery);

                filterContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl + redirectUrl, true);
            }
            else
            {
                base.OnActionExecuting(filterContext); if authorized user allow it to view
            }
        }

and in Web.Config set url for that action which will be called when user is not in role:

<authentication mode="Forms">
      <forms loginUrl="~/UnAuthorized" timeout="2880" />
</authentication>

This may be useful for MVC 4, however this functionality has been deprecated in MVC 5?? — geekowls, Aug 08 '15 at 07:09
I am talking about Html.ActionLinkAuthorized helper that you used. User.IsInRole is a better approach to follow. — geekowls, Aug 08 '15 at 07:17

Disable Input Fields in MVC View on Role Based Authorization using ASP.net Identity

2 Answers2

Way 1:

Way 2: