MVC Encrypt / hide information according to user's role

2

Can anyone help encrypt information according to the user's role? Basically I want the following: if the user's function is="Admin" the Mobile number appears 435267456. If the User's function is="User" the Mobile number appears xxxxxxxxxx.

I used this if (User.IsInRole ("Admin")) to hide links depending on the function and it works, now I want to encrypt the information but I can not.

Model

public partial class Cliente
{
    [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2214:DoNotCallOverridableMethodsInConstructors")]
    public Cliente()
    {
        this.Reserva = new HashSet<Reserva>();
    }

    public int ID_Cliente { get; set; }
    public string Nome { get; set; }
    public string Morada { get; set; }
    public string Telemovel { get; set; }
    public string Email { get; set; }
    public string Contribuinte { get; set; }
    public string CartaoCidadao { get; set; }
    public System.DateTime DataValidade { get; set; }
    public System.DateTime DataNascimento { get; set; }
    public System.DateTime DataRegisto { get; set; }
    public string País { get; set; }

    [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly")]
    public virtual ICollection<Reserva> Reserva { get; set; }
}

View

  <div class="form-group">
        <label class="col-md-4 control-label">Telemóvel</label>
        <div class="col-md-4 inputGroupContainer">
            <div class="input-group">
                <span class="input-group-addon"><i class="glyphicon glyphicon-earphone"></i></span>
                <input name="Telemovel" class="form-control" type="text" value="@Model.Telemovel" readonly="readonly">
            </div>
        </div>
    </div>

Controller

// GET: Clientes/Details/5
public ActionResult Details(int? id)
{


    if (id == null)
    {
        return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
    }
    Cliente cliente = db.Cliente.Find(id);
    if (cliente == null)
    {
        return HttpNotFound();
    }

    ViewBag.ListaReservas = db.Reserva.Include(p=> p.Cliente).Where(p => p.ID_Cliente == cliente.ID_Cliente);


    return View(cliente);
}
    
asked by anonymous 09.05.2018 / 10:32

2 answers

1

Since it is just a visualization, there is no need to do something complex, you can view % and display the data:

 <div class="form-group">
        <label class="col-md-4 control-label">Telemóvel</label>
        <div class="col-md-4 inputGroupContainer">
            <div class="input-group">
                <span class="input-group-addon"><i class="glyphicon glyphicon-earphone"></i></span>
                @if (User.IsInRole ("Admin"))
                {
                    <input name="Telemovel" class="form-control" type="text" value="@Model.Telemovel" readonly="readonly">
                }else
                {
                    <input name="Telemovel" class="form-control" type="text" value="xxxxxxxxxx" readonly="readonly">
                }
            </div>
        </div>
    </div>

Another option would be not to use this if in if and its view change the information to what you want according to the permission:

public ActionResult Details(int? id)
{
    if (id == null)
    {
        return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
    }
    Cliente cliente = db.Cliente.Find(id);
    if (cliente == null)
    {
        return HttpNotFound();
    }

    if(!User.IsInRole ("Admin"))
    {
        cliente.Telemovel = new String('x', cliente.Telemovel.Length);
    }

    ViewBag.ListaReservas = db.Reserva.Include(p=> p.Cliente).Where(p => p.ID_Cliente == cliente.ID_Cliente);


    return View(cliente);
}

Note that in the second option in controller if it is not admin , it assigns the property if the value xxxx , in this case the amount of "x" respects the size of Telemovel

    
09.05.2018 / 15:21
0

The correct way would be you implement a domain class (not directly in the View using Razor), the Model in this case, which does the validation and returns only the permitted information based on the user's permission level.

For this it would be correct to create a view of the user table for each type of user, eg:

CREATE VIEW vw_userForAdmin AS
 SELECT name, mobile // E todas as outras permitidas aos admins
 FROM [User];

In Model.Usuario (you have not posted the code) there must be a method "getUserInfos (int user_id, string permission_role)" which will query the appropriate VIEW instead of directly in the table.

Example:

getUserInfos(int user_id, stirng permission_role){
  switch(permission_role){
    case PERMISSIONS.ADMIN:
     // SELECT na VIEW e não mais na tabela User
  }
}

References: link link

    
09.05.2018 / 15:13