Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Roles based Menu question

See original GitHub issue

Hi, I am following you instructions on an ASP MVC 5 (4.6.2) site and trying to understand this comment from Stack Overflow.

Again, the roles attribute is only for interoperability with ASP.NET and should not be used for pure MVC, since it means you need to duplicate your roles on AuthorizeAttribute anyway.

can you please help, which roles attribute are you referring to, do you mean the extension?

If I implement this with ASP Identity V2.2 MVC 5, and simply enable the security trimming attribute, would that be enough or are you stating this additional extension is needed.

public static class ControllerContextExtensions
{
    public static IEnumerable<string> Roles(this ControllerContext controllerContext)
    {
        var controllerType = controllerContext.Controller.GetType();
        var controllerDescriptor = new ReflectedControllerDescriptor(controllerType);
        var actionName = controllerContext.RouteData.Values["action"] as string;
        var actionDescriptor = controllerDescriptor.FindAction(controllerContext, actionName);

        var authorizeAttribute = FilterProviders.Providers.GetFilters(controllerContext, actionDescriptor)
            .Where(f => typeof(AuthorizeAttribute).IsAssignableFrom(f.Instance.GetType()))
            .Select(f => f.Instance as AuthorizeAttribute).FirstOrDefault();

        string[] roles = { };
        if (authorizeAttribute != null && authorizeAttribute.Roles.Length > 0)
        {
            roles = Array.ConvertAll(authorizeAttribute.Roles.Split(','), r => r.Trim());
        }

        return roles;
    }
}

Issue Analytics

  • State:open
  • Created 7 years ago
  • Comments:5

github_iconTop GitHub Comments

2reactions
NightOwl888commented, Aug 6, 2016

What I mean is that there is a roles attribute in the .sitemap schema (and also on the ISiteMapNode). This attribute was carried over from Microsoft’s ASP.NET implementation and is only meant for use if you have a hybrid MVC/ASP.NET website.

For a pure MVC website, you should do nothing more than configure your security with AuthorizeAttribute or a subclass of it, and then enable security trimming on MvcSiteMapProvider, which picks it up automatically.

1reaction
NightOwl888commented, Aug 7, 2016

If you are referring to putting that into a custom AuthorizeAttribute subclass, then yes that will work fine. The only requirement is that the filterCtx.Request be set to a non-null value if authorization fails.

I am not sure what approach is best for your application, as making a “mapping” between roles and actions might not scale well.

One approach is to just make a granular set of roles (“EditProject”, “ViewProject”, “DeleteProject”, etc). But keep in mind the roles are normally set in a cookie and will result in more bandwidth usage if you overdo it (not to mention, there is a limit to how big a cookie can be).

Another would be to make a custom AuthorizeAttribute, override the AuthorizeCore method and return true whenever the authorization succeeds. It might not scale well to hit a database for this, though and keep in mind that MvcSiteMapProvider checks all of your visible Menu actions on each page load when you use the @Html.MvcSiteMap().Menu().

You can register AuthorizeAttribute as a global filter so you don’t have to decorate every action method with one.

    public class FilterConfig
    {
        public static void RegisterGlobalFilters(GlobalFilterCollection filters)
        {
            filters.Add(new MyAuthorizationAttribute());
            filters.Add(new HandleErrorAttribute());

            FilterProviders.Providers.Insert(0, new GlobalFilterProvider(DependencyResolver.Current));
        }
    }

Note that if you are using DI you can also make a global filter provider so you can control the lifetime of your DbContext using the DI container.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Role Based Menu access
i wants to give the role based menu access for users..means if admin login in a application he has full control,if normal user...
Read more >
Angular Role Based Menu And Page Routing
When another user with the customer role logs in, they should see (Home,Customers) pages. To summarize, how can I do role-based menu ......
Read more >
role based menus
Rolebase Menus, as the name suggests it is basically the menu displayed to the user would depend on the role defined for him/her....
Read more >
Role Based Menu and HomeScreen in Mobile
After all that pre-amble, my question is what is the best way to implement a role based menu and role based home screen...
Read more >
Home page and Menu option as per User role
Hello, I have 2 user roles Admin and User Now I wish to have 2 seperate Home page and Menu option for different...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Session id is written to ClientId? (all users count as new users?)

Next page

Error with 'PreservedRouteParameters' - v4.6.22