Home/ Questions/Q 3459064
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T10:03:39+00:00

I’m modifying a system written in c# MVC at the moment. I’ve just built

  • 0

I’m modifying a system written in c# MVC at the moment.

I’ve just built in an extra bit of functionality in the Administrator area that allows the administrator create a user account that has limited administrator functionality. I’ve put the following over each of the controllers for the new functionality:

[Authorize(Roles = "Administrator")]

However, if I log in using limited administrator account, and navigate to this page, it lets me through.

I’m stumped because I appear to be doing this the right way but I’m also fairly new to MVC, is there anything else I can check? I haven’t changed anything in the web.config file so that should be ok.

I know there’s limited information above, not looking for a ready-made solution, more advice on what I can check to correct the issue.

thanks

EDIT:

This is how the new role/account was created. Go easy too, this is a first ditch attempt, there’s not much validation.

[Authorize(Roles = "Administrator")]
    [HttpPost]
    public ActionResult AddSalesManager(App.Web.Areas.Administrator.Models.SalesManager model, FormCollection formValues)
    {
        if (formValues["Cancel"] != null)
        {
            return RedirectToAction("Index");
        }

        if (!string.Equals(model.password, model.confirmpassword))
        {
            ModelState.AddModelError("password", "Password and Confirmation must match");
        }

        if (ModelState.IsValid)
        {
            using (ModelContainer ctn = new ModelContainer())
            {
                // First, create the user account inside the ASP.Net membership system.
                //

                Membership.ApplicationName = "App";
                Roles.ApplicationName = "App";

                if (!Roles.RoleExists("LimitedAdmin"))
                    Roles.CreateRole("LimitedAdmin");

               // MembershipCreateStatus createStatus = MembershipService.CreateUser(model.email, model.password, model.email);
                if (Membership.GetUser(model.email) == null)
                {
                    Membership.CreateUser(model.email, model.password);
                    Roles.AddUserToRole(model.email, "LimitedAdmin");
                }

            }
        }
        return RedirectToAction("Index");

    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What do you expect from this code?

    With this attribute you gain all users in the administrator role the right to execute this controller action no matter how limited the account is.

    • 0