Home/ Questions/Q 8485459
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T20:39:11+00:00

I have an MVC application which authenticates against Active Directory using Forms authentication. As

  • 0

I have an MVC application which authenticates against Active Directory using Forms authentication. As my MVC application has gown in size, it has become apparent that the role checking I am doing is becomming more and more fragmented. I want to replace things like:

[Authorize(Roles = "Staff")] and Thread.CurrentPrincipal.IsInRole("Staff")

with something along the lines of:

[AuthorizePermission(Permission.CanDoSomething)] and Thead.CurrentPrincipal.HasPermission(Permission.CanDoSomething)

where Permission is an enum. Now I was thinking that I could define which permissions each AD role has in the web.config like so:

  <role name="Staff">
    <permissions>
      <add name="CreateEditDeleteSomething" />
      <add name="PublishSomething" />
      <add name="QueryUsers" />
    </permissions>
  </role>

I could then implement an IPrincipal extension method – HasPermission(Permission permission). This would see if the User belogs to any of the AD groups which have the the passed in permission as defined in the web.config. This would allow me to alter the permissions a particular AD goup has without having to change the code or update the existing tests. The custom Authorize Attribute could then call the HasPermission method.

Is this approach correct or are there better ways of simplifying my roles within the application? I have seen a number of examples on here and around the web but they seem to be overly complicated. Can I acheive this by just checking the passed in Permission against my web.config role settings in HasPermission? The IPrincipal will have its AD roles so surely it is straightforward to then determine the permissions allowed?

Any help appreciated!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Permissions are much more complicated than roles.

    There can often be permission groups such as CreateEditDelete… but their can also be granular subsets such as just “Create”, “Edit”, “Delete”

    The way I would solve this problem is to create a PermissionsManger class that can determine which permissions that a user should have given the business rule context and their AD roles.

    I used bitwise flags to help simplify the complications of granular permissions.

    How you map the roles to permissions is completely up to you.

    using System;
using System.Linq;
using System.Security.Principal;

// Install-Package FluentAssertions -Pre
using FluentAssertions;

public static class ExtensionsForIPrincipal
{
    public static bool HasPermission(this IPrincipal principal, Permissions permission)
    {
        return PermissionsManager.GetUserPermissions(principal).HasFlag(permission);
    }

    public static bool IsInRole(this IPrincipal principal, params string[] roleNames)
    {
        return roleNames.Any(principal.IsInRole);
    }
}

public static class PermissionsManager
{
    public static Permissions GetUserPermissions(IPrincipal user)
    {
        if ( user.IsInRole("admin") )
        {
            return Permissions.All;
        }

        var userPermissions = Permissions.None;

        if ( user.IsInRole("staff", "user") )
        {
            userPermissions |= Permissions.QueryUsers;
        }

        if ( user.IsInRole("staff") )
        {
            userPermissions |= Permissions.PermissionsCreateEditDeleteSomething | Permissions.QueryUsers;
        }

        if ( user.IsInRole("editor") )
        {
            userPermissions |= Permissions.PublishSomething;
        }

        return userPermissions;
    }
}

[Flags]
public enum Permissions
{
    None = 0,
    CreateSomething = 1,
    EditSomething = 2,
    DeleteSomething = 4,
    PublishSomething = 8,
    QueryUsers = 16,
    PermissionsCreateEditDeleteSomething = CreateSomething | EditSomething | DeleteSomething,
    All = PermissionsCreateEditDeleteSomething | PublishSomething | QueryUsers
}

internal class Program
{
    private static void Main(string[] args)
    {
        IPrincipal admin = Create("james", "admin");

        PermissionsManager.GetUserPermissions(admin).ShouldBeEquivalentTo(Permissions.All);

        admin.HasPermission(Permissions.None).Should().BeTrue();
        admin.HasPermission(Permissions.EditSomething).Should().BeTrue();
        admin.HasPermission(Permissions.PermissionsCreateEditDeleteSomething).Should().BeTrue();
        admin.HasPermission(Permissions.PublishSomething).Should().BeTrue();
        admin.HasPermission(Permissions.QueryUsers).Should().BeTrue();
        admin.HasPermission(Permissions.All).Should().BeTrue();

        IPrincipal editor = Create("susan", "editor", "staff");

        editor.HasPermission(Permissions.None).Should().BeTrue();
        editor.HasPermission(Permissions.EditSomething).Should().BeTrue();
        editor.HasPermission(Permissions.PermissionsCreateEditDeleteSomething).Should().BeTrue();
        editor.HasPermission(Permissions.QueryUsers).Should().BeTrue();
        editor.HasPermission(Permissions.PublishSomething).Should().BeTrue();
        editor.HasPermission(Permissions.All).Should().BeTrue();

        IPrincipal staff = Create("michael", "staff");

        staff.HasPermission(Permissions.None).Should().BeTrue();
        staff.HasPermission(Permissions.EditSomething | Permissions.DeleteSomething).Should().BeTrue();
        staff.HasPermission(Permissions.PermissionsCreateEditDeleteSomething).Should().BeTrue();
        staff.HasPermission(Permissions.QueryUsers).Should().BeTrue();
        staff.HasPermission(Permissions.PublishSomething).Should().BeFalse();
        staff.HasPermission(Permissions.All).Should().BeFalse();

        IPrincipal user = Create("bob", "user");

        user.HasPermission(Permissions.None).Should().BeTrue();
        user.HasPermission(Permissions.EditSomething).Should().BeFalse();
        user.HasPermission(Permissions.PermissionsCreateEditDeleteSomething).Should().BeFalse();
        user.HasPermission(Permissions.QueryUsers).Should().BeTrue();
        user.HasPermission(Permissions.PublishSomething).Should().BeFalse();
        user.HasPermission(Permissions.All).Should().BeFalse();

        IPrincipal anon = Create("anonymous");

        anon.HasPermission(Permissions.None).Should().BeTrue();
        anon.HasPermission(Permissions.EditSomething).Should().BeFalse();
        anon.HasPermission(Permissions.PermissionsCreateEditDeleteSomething).Should().BeFalse();
        anon.HasPermission(Permissions.QueryUsers).Should().BeFalse();
        anon.HasPermission(Permissions.PublishSomething).Should().BeFalse();
        anon.HasPermission(Permissions.All).Should().BeFalse();

        Console.WriteLine("All tests passed");
        Console.ReadLine();
    }

    private static IPrincipal Create(string name, params string[] roles)
    {
        return new GenericPrincipal(new GenericIdentity(name), roles);
    }
}
    • 0