Home/ Questions/Q 8645275
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T12:30:31+00:00

I was looking for an implementation / example of loading and authorizing a resource

  • 0

I was looking for an implementation / example of loading and authorizing a resource at a controller level. I am looking for the same functionality as load_and_authorize_resource in the cancan gem in ruby on rails.

Has anyone come across one / have an example how to implement something similar using Mvc .Net attributes?

Thanks!

The load_and_authorize_resource behaviour

With rails, controller and model names are linked up by convention. The attribute load_and_authorize_resource takes that to its advantage. When an action is hit that requires an instance of a resource, the load_and_authorize_resource verifies whether the instance of the resource can be accessed. If it can, it will load it up in an instance variable, if it cant, it will return a 404 or any error behaviour you have configured the attribute to produce.

For example, if I have a resource picture, and only user that own a certain picture can edit the picture’s name.

So we would have a Edit action, which obviously would have a pictureId of the picture you want to edit. load_and_authorize_resource would verify whether the current context/user has access to the resource.

Here is a small video introduction of the module.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I am not aware of the existence of such plugin for ASP.NET MVC. To mimic it’s functionality you could write a custom Authorize attribute though:

    public class LoadAndAuthorizeResourceAttribute : AuthorizeAttribute
{
    private class ModelDescriptor
    {
        public string Name { get; set; }
        public Type ModelType { get; set; }
    }

    private const string ModelTypeKey = "__ModelTypeKey__";
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        var parameters = filterContext.ActionDescriptor.GetParameters();
        if (parameters.Length > 0)
        {
            // store the type of the action parameter so that we could access it later
            // in the AuthorizeCore method
            filterContext.HttpContext.Items[ModelTypeKey] = new ModelDescriptor
            {
                Name = parameters[0].ParameterName,
                ModelType = parameters[0].ParameterType,
            };
        }
        base.OnAuthorization(filterContext);
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authorized = base.AuthorizeCore(httpContext);
        if (!authorized)
        {
            // the user is not authenticated or authorized => no need to continue
            return false;
        }

        // get the currently authenticated username
        string username = httpContext.User.Identity.Name;

        // get the id of the resource that he is trying to manipulate
        // the id should be sent either as part of the query string or the routes
        string id = httpContext.Request.RequestContext.RouteData.Values["id"] as string;

        // get the action param type
        var modelDescriptor = httpContext.Items[ModelTypeKey] as ModelDescriptor;

        if (modelDescriptor == null)
        {
            throw new InvalidOperationException("The controller action that was decorated with this attribute must take a model as argument");
        }

        // now load the corresponding entity from your database given the 
        // username, id and type
        object model = LoadModel(id, username, modelDescriptor.ModelType);

        if (model == null)
        {
            // the model that satisfies the given criteria was not found in the database
            return false;
        }

        httpContext.Request.RequestContext.RouteData.Values[modelDescriptor.Name] = model;

        return true;
    }

    private object LoadModel(string id, string username, Type modelType)
    {
        // TODO: depending on how you are querying your database
        // you should load the corresponding model here or return null
        // if not found
        throw new NotImplementedException();
    }
}

    and now you could have a controller action that is decorated with this attribute:

    [LoadAndAuthorizeResource]
public ActionResult Edit(Picture model)
{
    ... if we get that far the user is authorized to modify this model
}
    • 0