ASP.NET MVC 4 How do you serve different HTML based on Role?

Question

On top of allowing only certain Roles to access certain Controller or Action, I would like to serve a slightly different HTML based on the roles.

Admin can see Edit

Answer 1

For menus, consider using MVCSiteMapProvider, which, like other SiteMapProviders, can be configured to use "security trimming", i.e. to only display nodes that the current user is authorized to use. I.e. a site map can be used to generate a menu which will automatically respect the Authorize attributes on controllers and actions.

For visibility of controls (edit button, delete button and the like), add boolean properties to your Model: CanEdit, CanDelete etc, and have your controller populate them based on the user's roles (User.IsInRole).

Separation of concerns dictates that you shouldn't access Roles directly in the View.

Answer 2

The solution you point to strikes me a very good one. A simpler (but perhaps harder to maintain) approach would be to pass a list of the user's roles has to the view (as a property of the model). In the view you would then have an if statement around the HTML displaying the button checking if the button should be displayed to the user.

Answer 3

If the view are quite similar than I usually handle this by creating a view that has the basic detail in that all the roles can see. I then typically add a few Partials for each role

 @Html.Partial("_AdminToolbar")
 @Html.Partial("_UserToolbar")

These partials have a simple

@if ( User.IsInRole("Admin") ) 

to only show the partial for the role. This works best if the partial is going to be reused in lots of places and makes the view easier to read and saves you having to repeat code with almost identical views.

You can always use the User.InRole or !User.InRole in the view to wrap bits of it to be shown or not shown.

It's also helpful to remember that in more complex cases, the position that the final HTML gets placed in the web page is not always the position that its rendered into the content. CSS can be used to position the content in the desires location and the entire contents for the admin can be injected into the output in one partial or inside one User.InRole block.

You could also use a shared base view for and then place a number of markers around different sections using RenderSection

@RenderSection("AdminSection", required: false)

Then in any specific views you have; there you can have a layout reference to the base view included in that section only if the page demands it because its only for an Admin. Then user's version wouldn't have the section. This helps to keep the code repeats/edits low or less.