2

I have a c# mvc razor web application with custom membership and everything works wonderful. I am able to get the logged in user name by using this: user.identity.name. I have a database of usernames and their roles. Now the problem is, in one of my views I am trying to restrict access to only "admin" so i tried using user.isinrole however, this always returned false. so then i tried using roles.isuserinrole, then i get an exception that says its not enabled.

i Google around and found several custom controllers for role provider that has the function isuserinrole.

my question is, do i need to create a custom contoller for isuserinrole to be enabled? in my view when i enter roles. --> visual studio list a list of built in functions that has isuserinrole, so my question is, will creating my own custom role provider override the built in functions?

assuming i have the custom function, how will my web application tie it all in and check if user is in role?

thanks in advance for your responses.

4

3 回答 3

2

Try creating a custom role provider. This page on MSDN goes into the basics.

The custom role provider should inherit from the abstract class System.Web.Security.RoleProvider. In this class, you can then implement the abstract method IsUserInRole(string username, string roleName) to provide the logic that you need to answer the IsUserInRole call properly based on your application needs.

于 2013-08-25T11:15:50.617 回答
0

You may add [Authorize(Roles = "Admin")] attribute to your Action or to Controller.

于 2013-08-25T17:47:29.000 回答
0

You can simply override the interface, with something like this

   [HttpPost]
    public ActionResult Login(MVVMLogin LoginData)
    {
      //validate user against database
      var IsValid = true;

        if (IsValid == true)
        {

                var Roles = "admin";

                var authTicket = new FormsAuthenticationTicket(
                    1,
                    LoginData.Username,
                    DateTime.Now,
                    DateTime.Now.AddMinutes(20), //Expires
                    false,
                    Roles,
                    "/");

                var cookie = new HttpCookie(FormsAuthentication.FormsCookieName,FormsAuthentication.Encrypt(authTicket));
                Response.Cookies.Add(cookie);

        }

        return View();
    }

and in the global.asax you can add the following

  protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        if (HttpContext.Current.User == null) return;
        if (!HttpContext.Current.User.Identity.IsAuthenticated) return;
        if (!(HttpContext.Current.User.Identity is FormsIdentity)) return;

        var id = HttpContext.Current.User.Identity as FormsIdentity;
        var ticket = id.Ticket;
        var userData = ticket.UserData;
        var roles = userData.Split(new[] { ',' });

        HttpContext.Current.User = new GenericPrincipal(id, roles);
    }

now you can control which type of users can access the controller

[Authorize(Roles = "admin,user")]
public class CampaignsController : Controller
于 2013-08-27T03:01:17.293 回答