MVC Role Authorization

Question

I am trying to implement a role authorization mechanism which checks the roles of the current logged in user, if the user is in the right role, he/she is allowed, else display e

Answer 1

Your original code was close, but the problem lies here:

base.OnAuthorization(filterContext);

Unconditionally calling the base class means you are requiring the decorated roles to be found in BOTH the UsersService and the built-in Role provider. If the role provider isn't configured to return the same set of roles (which they wouldn't if the default AuthorizeAttribute isn't sufficient for you) then this will obviously result in the Authorization test always returning false.

Instead you could add a separate property to the derived Attribute such as

public string RemoteRoles { get; set; }

and replace

 List<String> requiredRoles = Roles.Split(Convert.ToChar(",")).ToList();

with:

 List<String> requiredRoles = RemoteRoles.Split(Convert.ToChar(",")).ToList();

And decorate your controller like such:

[RoleAuthorization (RemoteRoles = "Client, Administrator")]

Answer 2

Since I had the roles of the users in the database I had to check against the database so I included this method in the global.asax

protected void Application_AuthenticateRequest(object sender, EventArgs args)
    {
        if (Context.User != null)
        {
            IEnumerable<Role> roles = new UsersService.UsersClient().GetUserRoles(
                                                    Context.User.Identity.Name);


            string[] rolesArray = new string[roles.Count()];
            for (int i = 0; i < roles.Count(); i++)
            {
                rolesArray[i] = roles.ElementAt(i).RoleName;
            }

            GenericPrincipal gp = new GenericPrincipal(Context.User.Identity, rolesArray);
            Context.User = gp;
        }
    }

Then I could use the normal

[Authorize(Roles = "Client, Administrator")]

On top of the actionResult methods in the controllers

This worked.

Answer 3

If you're using MVC 5 you have to enable lazy loading in your DbContext by putting the following line in your DbContext initialisation.

this.Configuration.LazyLoadingEnabled = true;

In MVC 5 default project you'll add it to ApplicationDbContext.cs file.

I'm not sure if this is particular to MVC 5, to Identity 2.0, or affect other versions. I'm using this setup and enabling lazy loading make all the default role schema works. See https://stackoverflow.com/a/20433316/2401947 for more info.

Additionally, if you're using ASP.NET Identity 2.0 default permission schema, you don't have to implement Application_AuthenticateRequest as Darren mentioned. But if you're using custom authorisation tables, then you have to implement it as well.