Today I had to add security to the application. Essentially check if the logged in user has got permission to access a function and if not redirect to Unauthorised page. There may be a few ways this can be achieved. Some developers may prefer to add if else check in the view and depending if access needs to be granted they show selective part of the view. This will work, but I think there is a more elegant way to handle this. This is how I achieved this.
Create an attribute that will redirect unauthorised access to a SecurityController. In order to show custom unauthorised messages, it should allow specific messages which can be achieved by passing a reason string.
Here is the code for security attribute: (its in vb.net, but I am sure you can convert to C# easily)
<AttributeUsage(AttributeTargets.Method, AllowMultiple:=True, Inherited:=True)> _
Public NotInheritable Class ApplySecurityAttribute
Inherits ActionFilterAttribute
Private ReadOnly _permission As Integer
Public Sub New(ByVal permission As Integer)
Me.New(permission, String.Empty)
End Sub
Public Sub New(ByVal permission As Integer, ByVal reason_1 As String)
_permission = permission
Reason = reason_1
End Sub
Public Property Reason() As String
Get
Return m_Reason
End Get
Set(ByVal value As String)
m_Reason = Value
End Set
End Property
Private m_Reason As String
Public Overrides Sub OnActionExecuting(ByVal filterContext As ActionExecutingContext)
If Not PermissionsManager.HasPermission(_permission) Then
‘ Put security check here
‘ Security Controller
‘ Unauthorized Action
‘ Put the reason here
Dim routeValueDictionary = New RouteValueDictionary() From { _
{“controller”, “Security”}, _
{“action”, “Unauthorized”}, _
{“reason”, Reason} _
}
filterContext.Result = New RedirectToRouteResult(routeValueDictionary)
End If
MyBase.OnActionExecuting(filterContext)
End Sub
End Class
Using the attribute is simple. Just declare it on a controller like this:
<ApplySecurity(Enums.Permissions.OfficeUserViewReports, "You are not authorised to view reports")>
Here is the Security Controller class.
Namespace YourCaretaker
Public Class SecurityController
Inherits System.Web.Mvc.Controller
Function Unauthorized(ByVal reason As String) As ViewResult
ViewBag.Reason = reason
Return View()
End Function
End Class
End Namespace
And finally the permission manager
Public NotInheritable Class PermissionsManager
Private Sub New()
End Sub
Public Shared Function HasPermission(ByVal permissionId As Integer) As Boolean
'insert your implementation
'if access allowed Return True else Return False
End Function
End Class