ASP.NET MVC - Dynamic Authorization

Question

I am building a simple CMS in which roles are set dynamically in the admin panel. The existing way of authorizing a controller method, adding [Authorize(Roles="admin")] for example, is therefore no longer sufficient. The role-action relationship must be stored in the database, so that end users can easily give/take permissions to/from others in the admin panel. How can I implement this?

Answer 1

If you want to take control of the authorization process, you should subclass AuthorizeAttribute and override the AuthorizeCore method. Then simply decorate your controllers with your CmsAuthorizeAttribute instead of the default.

public class CmsAuthorizeAttribute : AuthorizeAttribute
{
    public override virtual bool AuthorizeCore(HttpContextBase httpContext)
    {
        IPrincipal user = httpContext.User;
        IIdentity identity = user.Identity;

        if (!identity.IsAuthenticated) {
            return false;
        }

        bool isAuthorized = true;
        // TODO: perform custom authorization against the CMS


        return isAuthorized;
    }
}

The downside to this is that you won't have access to ctor-injected IoC, so you'll have to request any dependencies from the container directly.

Answer 2

That is exactly what the ASP.NET membership / profile stuff does for you. And it works with the Authorize attribute.

If you want to roll your own you could create a custom action filter that mimics the behavior of the standard Authorize action filter does. Pseudo code below.

public MyAuthorizeAttribute : ActionFilterAttribute
{
    public string MyRole { get; set; }

    public void OnActionExecuting(ControllerContext context)
    {
        if (!(bool)Session["userIsAuthenticated"])
        {
            throw new AuthenticationException("Must log in.");
        }

        if (!Session["userRoles"].Contains(MyRole))
        {
            throw new AuthenticationException("Must have role " + MyRole);
        }
    }
}

Answer 3

The role - action relationship must be stored in the database

You will have to check your security within the controller method, unless you want to subclass AuthorizeAttribute so that it looks up the roles from the database for you.