-1

We are trying to implement security in with our predefined set of permissions, which will serves the purpose whether to execute action method, show the view OR not, hide specific control(Like button,textbox etc) etc. So, while user getting logged in into the application we have the data of users role and there permissions.

So, my question is whether we should go for ActionFilter OR Authorize Filter? Initially we have tried with ActionFilter, but my action filter is getting called though the particular action is NOT executed/called.

Action Filter

using Microsoft.AspNetCore.Mvc.Filters;

namespace LMS.Web.Core.Classes
{
    public class SecurityFilter : ActionFilterAttribute
    {
        private string permissionName;
        private Permissions permissions;

        public SecurityFilter(string m_permissionName)
        {
           permissionName = m_permissionName;
        }

        public override void OnActionExecuted(ActionExecutedContext context)
        {
            base.OnActionExecuted(context);
        }

        public override void OnActionExecuting(ActionExecutingContext context)
        {
            base.OnActionExecuting(context);
        }
    }
}

and this action filter I have referred on one action method

 [Route("Course/Info")]
 [SecurityFilter("some permission name")]

 public ActionResult CourseDetails()
 {
    return View();
 }

So, while logging into the application the action filter is getting called. why this is so ?

We want to use the filter on view and controller side. So, basically we are looking like this

 [Route("Course/Info")]
 [SecurityFilter(PermissionName = "some permission")]

 public ActionResult CourseDetails()
 {
    return View();
 }

public class SecurityFilter : ActionFilterAttribute
    {

        public string PermissionName { get; set; }
        public SecurityFilter(SessionServices _session)
        {
            session = _session;
        }
        public SecurityFilter()
        {
          //Unable able to remove the default constructor
         // because of compilation error while using the 
         // attribute in my controller
        }
public override void OnActionExecuting(ActionExecutingContext context)
    {

        if (session.GetSession<List<OrganizationUserRolePermission>>("OrganizationUserRolePermission") != null)
        {
           List<OrganizationUserRolePermission> permissionList = session.GetSession<List<OrganizationUserRolePermission>>("OrganizationUserRolePermission");
     checkPermission = permissionList.Any(m => m.PermissionName == PermissionName);
if(!checkPermission)
{
  // Redirect to unauthorized access page/error page
}
        }

        base.OnActionExecuting(context);
    }
    }

and whatever the permission we passed to the filter will check whether user has the permission OR not. Also, we are trying to inject session service into filter, but getting session null.

XamDev
  • 3,377
  • 12
  • 58
  • 97
  • What do you mean "implement the security on it"? – John Wu Mar 20 '17 at 05:42
  • @JohnWu I have updated the question – XamDev Mar 20 '17 at 05:45
  • Do you have any code that retrieves the user's permissions from somewhere? How does your site know what they are? – John Wu Mar 20 '17 at 05:46
  • Yes, while logging into the application we have checked the users role and what permission assigned to the user, we have kept that info in list in one session variable. We have decided the naming convention for permission like `course.courselist.show` where `course` is the main entity/controller, `courselist` is action method – XamDev Mar 20 '17 at 05:49

1 Answers1

1

  1. I'm not sure about your use case to pass the SessionServices instance to filter attribute constructor but this is not possible as any argument to Attribute invocation should be a compile-time constant value.

    Reference

    Attribute parameters are restricted to constant values of the following types:

 - Simple types (bool, byte, char, short, int, long, float, and double)
 - string
 - System.Type
 - enums
 - object (The argument to an attribute parameter of type object must be
   a constant value of one of the above types.)
 - One-dimensional arrays of any of the above types

    Rather you could retrieve the stored session data inside the OnActionExecuting method directly to check the needed permissions.

  2. Ideally Authorize attribute would be more appropriate in your case to check the user permissions to allow access to any view. I believe ActionFilter might be more suitable in case of any logging before/after the action execution.

  3. Regarding the below

    So, while logging into the application the action filter is getting called. why this is so ?

    1. Please check the Filter Registration in your application code. Ideally if the filter is applied to any specific action (e.g. CourseDetails in your case) then it will be called only on that particular action execution.
    2. Alternatively please include the Login action in your question so that we could check for the problem if any.

I hope this would help find a solution in your case!

Sivaram Koduri
  • 509
  • 1
  • 5
  • 12