Home/ Questions/Q 7073035
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T05:52:52+00:00

In my database, the system user has a list of modules he/she can access.

  • 0

In my database, the system user has a list of modules he/she can access.

I would like to be able to add an authorise attribute which checks that this is the case.

E.g. [authorise(UserID, ControllerName)]

Which goes to some code, ensures that the User with UserID specified, has the controller name in his/her list.

At the moment you can simply bypass the fact the tabs aren’t visible, by using the URL. (I have code which already checks if the user has specified access and hides/shows tabs)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {
            return false;
        }

        string currentUser = httpContext.User.Identity.Name;
        string currentController = httpContext.Request.RequestContext.RouteData.GetRequiredString("controller");

        // TODO: go hit your database and see if currentUser can access
        // currentController and return true/false from here

        ...
    }
}

    then decorate your controllers or actions:

    [MyAuthorize]
public class FooController: Controller
{
    ...
}

    This being said I suspect that you might have gone the wrong way in your database design by storing a list of which user has access to access which controller action. Probably you should have used roles for that. Having the database know about controllers just feels wrong.

    So:

    [Authorize(Roles = "Foo,Bar")]
public class FooController: Controller
{
    ...
}

    Only users that have the Foo or Bar role can access the FooController.

    • 0