mvc role based permission using actionfilterattribute

Question

So I'm setting up my permission for an mvc website. And I'm doing a role based permission, having actions in a controller would require different Roles depending on the purpose of the action. I know that the most recommended would be authorizeattribute (as i want the roles cached) but is it possible to have the same with the actionfilterattribute?

Currently I have an actionfilterattribute similar to this:

public class PermissionRequired : ActionFilterAttribute{
   private readonly Role reqrole;
   public PermissionRequired(Role reqRole)
   {
         reqrole = reqRole;
   }

   public override void OnActionExecuting(ActionExecutingContext filterContext) {
        var ctrl = (GeneralController)filterContext.Controller;

        if (!ctrl.CurrentUser.InRole(reqrole)) {
               //some code to redirect this to a certain page
        }
        base.OnActionExecuting(filterContext);
    }
}

and on the GeneralController to get the current User

public class GeneralController : Controller

    private User currentUser;
    public User CurrentUser {
        get {
            if (currentUser != null)
                return currentUser;

            int currentUserId = Convert.ToInt32(httpContext.User.identity.Name); 

            if (currentUserId != 0) {
                this.currentUser = Tds.Users.FirstOrDefault(u => u.Id == currentUserId)
            }

            return currentUser;
        }
    }

and on the controllers that will inherit this attribute

[PermissionRequired(Role.Moderator)]
public class SomeControllerThatNeedsPermission
{
    [PermissionRequired(Role.SuperAdmin)]
    public ActionResult SomeActionThatNeedsPermission()
      {
      }
}

so, anybody help is appreciated.. even comments or thoughts are welcome :D

Thanks much!

I wrote something similar to this and stuck it on SourceForge; it might save you some time. https://sourceforge.net/projects/simplerolesecur/ — Jeremy Holovacs, Aug 05 '11 at 20:24
(Not an actual solution, so this is a comment instead) There's a great blog post with some things to keep in mind or be aware of [here](http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx). I found it very helpful in a recent project. — Rick Liddle, Aug 05 '11 at 20:40
@rick liddle: that is a very helpful article. Thanks! -Jeremy: I'll look at it :) — gdubs, Aug 08 '11 at 05:51
yeah assign a role on every action but dont use cached values like i was showing on the comments, use string eg [PermissionRequired("Admin")] then convert this on ActionFilterRequired to a Role using the constructor of the attribute PermissionRequired — gdubs, Nov 10 '11 at 17:48

score 0 · Answer 1 · answered Aug 05 '11 at 20:36

It seems like you are not using custom membership here. In which case doing this with a actionfilterattribute is somewhat pointless, but nonetheless do able.

This is an excellent article on the same subject - extending the AuthorizeAttribute to perform role based validation and return custom errors...

The value in doing that also only comes across (as explained in the article) when you wish to show users whats going on when the Authorization fails (the 401 is not shown it turns into a 302 internally in the mvc plumbing)

mvc role based permission using actionfilterattribute

1 Answers1