I try to implement a login for my application.
The user can have multiple roles (Viewer, Operator, Admin etc.).
But he has to choose a certain role that with which he wants to get logged in,
so he probably has administratior prviliges but he can login as a “Viewer” with no admin rights.
The problem is now that if I try to secure some functions with the RequiredRole attribute for an administrator, the user should not be able to access this function if he is logged in as viewer, even if he would have administrator rights.
Is such a beaviour supported from the framework or has anyone done something similar before?
Thanks anyway for your help
You’ve not specified what you want to happen when he tries to do something that requires Admin when he’s logged in as Viewer, but since you can implement your own Role Provider, this is easy to do.
You should be able to store something in the session or your user principal object stating the “available roles” (some of them won’t be able to pick Administrator, for example) and then another one for Selected Role. All you’d need to do is put some page into your site to allow the user to select their current role.
Since you’d be using your own Role Provider, you can just implement this to pull the relevant information out of the Session (or the User Principal) when checking roles. You’ll still be able to use the RequiredRole attribute as you like.
There are a few examples around of how you can change the behaviour from redirecting you to the logon form when you don’t have access to redirect you to a 403 page (e.g. With ASP.NET membership, how can I show a 403?). You could then show something on this page which would allow the user to switch to a higher role if they have one available.