I’ve got a task of creating a read-only user for our ASP.Net MVC3 application. I.e. they can login, view all the data, but can not update any data.
I have read a lot of authentication articles/frameworks, like this one: Implement secure ASP.NET MVC applications, or Fluent Security Configuration, or Creating Action Filters in ASP.Net MVC (and a few other, I have lost links to already).
The problem with most of the approaches that they require drastic changes to the domain/application. And I have only one day to implement the feature.
We have about a hundred of controllers with on average of 4 actions per controller (mostly CRUD operations), and going through every single one of them is out of the question. Also it would be easy to forget to put attributes on the the new code – introducing bugs.
So far I have came up with global filter that denies all POST-based actions and controller actions called “Create” for read-only user:
public class ReadOnlyFilter : IActionFilter
{
public void OnActionExecuting(ActionExecutingContext filterContext)
{
var currentUser = HttpContext.Current.User;
if (currentUser == null || !currentUser.Identity.IsAuthenticated)
return; // user is not logged in yet
if (!currentUser.IsInRole("Readonly"))
return; // user is not read-only. Nothing to see here, move on!
// Presume User is read-only from now on.
// if action is of type post - deny
if (filterContext.HttpContext.Request.HttpMethod.ToUpper() == "POST")
{
filterContext.HttpContext.Response.Redirect("~/ReadOnlyAccess");
}
// if action is "Create" - deny access
if (filterContext.ActionDescriptor.ActionName == "Create")
{
filterContext.HttpContext.Response.Redirect("~/ReadOnlyAccess");
}
// if action is edit - check if Details action exits -> redirect to it.
//TODO get this done ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
return;
}
public void OnActionExecuted(ActionExecutedContext filterContext)
{
// blah! have to have this here for IActionFilter
}
}
Next thing I plan to create attribute [AllowReadOnlyUser] for post actions, like changing the password/email, and in the filter allow that action to go through.
I wonder if there are better ways to do this kind of thing?
Update: The application is not for public consumption. It is used in corporate world to track people, assets and other boring data.
Update 2: I’ve seems to be finished with this task. Done it as a controller, as started. Full code and some explanation you can see in my blog.
you can use the System.Web.Mvc.AuthorizeAttribute for your purpose. Create a class that derives from AuthorizeAttribute and override the methods AuthorizeCore and HandleUnauthorizedRequest. In AuthorizeCore you determine if a user is allowed to execute an action, in HandleUnauthorizedRequest you determine what to display if he isn’t allowed (for instance, show a “NotAllowed”-View).
After creating your custom authorization attribute, you have to add the attribute to all controller actions that should be protected by your custom authorization. For instance, all POST-methods. But if there is a POST-method that should be allowed for all users, you just don’t add the attribute to that controller action.