Login with different profiles

Question

Login with different profiles

Navigation

#1 by (4 votes)

3

I'm developing an application for a school, where you control what students have. The application makes the student registration and registration of occurrences (suspension or warning) that the student did. And in that context, I need to login different levels of access.

For example, you need to have three types of profiles: Administrator (who can do everything, full control), Teacher (who can only register and edit new occurrences and view student data, but not change or delete them ) and Coordinators (who can not change or delete student data, can only view this data, but can add, edit, and delete occurrences created).

I have already looked at several articles on the topic, but I get more confused, as some use SimpleMembershipProvider others use Forms ... But my question is: Which implementation would be better and if there are any examples that I can follow to do this authentication type in my application? Would I have to create other views or how can I restrict access to actions? I wanted your help because I am new to ASP.NET MVC and I do not know much where to look for something that is really useful.

Even because I downloaded a book, and when you do the roles, add users who can access certain areas at hand, and this is what I want, because in school there are MANY teachers, coordinators, and it would be difficult to keep this type of code. And ah, remembering that who will add new users is the admin, as it has all the privileges.

asp.net-mvc asp.net-mvc-5 visual-studio-2013

asked by anonymous 22.05.2014 / 15:29

1 answer

Updating treeview Sort the latest entries according to the registration date

score 4 · Accepted Answer

You can decorate Controllers or Methods with an Authorization Attribute .

Example

Create a class thus doing inheritance with FilterAttribute and implementing IAuthorizationFilter :

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class PermissionAttribute : FilterAttribute, IAuthorizationFilter 
{
    public string Roles { get; set; }
    public PermissionAttribute(String Roles)
    {
        this.Roles = Roles;
    }
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
        {
            if (filterContext.RequestContext.HttpContext.Session[".PermissionCookie"] != null)
            {
                String[] ItemSession = filterContext.RequestContext.HttpContext.Session[".PermissionCookie"].ToString().Split(',');
                if (ItemSession != null)
                {
                    String[] ItemRoles = Roles.Split(',');
                    int i = 0;
                    int j = 0;
                    bool f = false;
                    while (i < ItemRoles.Count() && !f)
                    {
                        j = 0;
                        while (j < ItemSession.Count() && !f)
                        {
                            if (ItemRoles[i] == ItemSession[j])
                            {
                                f = true;
                            }
                            j++;
                        }
                        i++;
                    }
                    if (f == false)
                    {
                        FormsAuthentication.SignOut();
                        filterContext.Result = new HttpUnauthorizedResult("Sem permissão");
                    }
                }
            }
        }
        else
        {
            filterContext.Result = new HttpUnauthorizedResult("Sem permissão");
        }
    }    
}

In Controllers you decorate them like this:

[PermissionAttribute("Administrador,Aluno")]
public class CreditosController : Controller

[PermissionAttribute("Administrador")]
public class UsuariosController : Controller

By Method

[PermissionAttribute("Administrador")]
public ActionResult UsuariosView(){
}

This is the conference part of the rule, and in the user login should have a routine similar to this (everything will depend on your business rules):

FormsAuthentication.SetAuthCookie(login.UserName, User.Remember);
Session.Add(".PermissionCookie", "Administrador"); 
// ou Session.Add(".PermissionCookie", "Administrador,Aluno"); 
// ou Session.Add(".PermissionCookie", "Aluno"); 
return RedirectToAction("Index", "Administrativo");

In this case it is being stored in the Session .PermissionCookie , but, you can save it in Cookie or Bank this all depending on your rule!

References: