-1

I have an MVC app which has the following route config

In Global.ascx

    protected void Application_Start()
    {
        AreaRegistration.RegisterAllAreas();
        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
        RouteConfig.RegisterRoutes(RouteTable.Routes);
    }

In the RouteConfig.cs I have

    public static void RegisterRoutes(RouteCollection routes)
    {
        routes.MapRoute(
            name: "Default",
            url: "{controller}/{action}/{id}",
            defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional }
        );
    }
    
Now if i type in the browser , https://localhost/users this will take me to the 
UsersController and call the Index() ActionResult. In there i do a check to see if the 
user has access to the view or not as follows:

    public ActionResult Index()
    {
        if (<User has access condition check>)
        {
            return View();
        }
        return View("~/Views/PermissionError.cshtml");
    }

The issue is that I have about 30 pages in my app that the user can browse to by typing in the broswer url. So instead of doing the check in every Index ActionResult , is there a way i can do the check in my route config or somewhere else that does the permission check and if they are allowed to view the page it will continue to the page else it will show the error page ?

Kelly
  • 81
  • 1
  • 10

1 Answers1

0

is there a way i can do the check in my route config or somewhere else that does the permission check

Yes, that might write a customer AuthorizeAttribute to make it.

You can try to write a customer AuthorizeAttribute and register that to global filter setting.

Here is the sample code which you can edit by your real logic.

public class AuthorizeBrowsingAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
       var isAnonAllowed = filterContext.ActionDescriptor.IsDefined(
            typeof(AllowAnonymousAttribute), true) || 
        filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(
            typeof(AllowAnonymousAttribute), true);

        // user did't get 
        if (!<User has access condition check> && !isAnonAllowed)
        {
            filterContext.Result = new RedirectResult("~/Views/PermissionError.cshtml");
        }
    }
}

The code register our customer AuthorizeAttribute

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new AuthorizeBrowsingAttribute());
}

If there are some page which you don't want to do permission check you can add AllowAnonymous attribtue on the view method.

[AllowAnonymous]
public ActionResult NoPermission()
{
}
D-Shih
  • 44,943
  • 6
  • 31
  • 51
  • thanks for that but im a bit confused as to how to add it all in my app. Is there by any chance a sample app in c# – Kelly Apr 03 '22 at 02:06
  • @Kelly https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api – gunr2171 Apr 03 '22 at 02:11
  • i cant seem to get it going, so i guess i may have to implement in all 30 ActionResults. I know its not elegant. – Kelly Apr 03 '22 at 20:54
  • @Kelly You don't need to implement it in all 30 ActionResults just hang up on the global filter, it will be work for 30 ActionResults – D-Shih Apr 03 '22 at 23:44
  • At the moment if a user logs in , i read their settings from a db and when for example i go to the userdetails ActionResult I read that setting and if true i display the View() else i display the errors page. Now for all the other views their will be different options that i must read . – Kelly Apr 04 '22 at 00:04
  • thats what i cant really see how the global filter will do it . sorry i havent used it before , trying to understand its functionality. Every day is a learning day i guess . – Kelly Apr 04 '22 at 00:05
  • @Kelly https://stackoverflow.com/questions/16709853/asp-net-mvc4-authorize-on-both-controller-and-action/16713334 – D-Shih Apr 04 '22 at 02:55