Login with different profiles

Asked

Viewed 1,173 times

4

I’m developing an app for a school, where you take control of the students she has. The application makes the registration of students and registration of occurrences (suspension or warning) that the student did. And in that context, I need to login different levels of access.

For example, I need to have three types of profiles: Administrator(who can do everything, total control), Teacher(who can only register and edit new occurrences and view the students' data, but not change or delete them) and Coordinators(who cannot change or delete student data, can only view this data, but can add, edit and delete created occurrences).

I’ve looked in several articles on the subject, but I get more confused, because some use Simplemembershipprovider others use Forms... But my question is: Which implementation would be better and if there is an example I can follow to do this type of authentication in my application ? Would I have to create other views or restrict access to actions ? I wanted your help because I’m new to Asp.net mvc and I don’t know much where to look for something that’s really useful.

Also because I downloaded a booklet, and when you’re going to do the roles, it adds users who can access certain areas at hand, and one is what I want, because at school there are MANY teachers, coordinators, and it would be difficult to maintain this type of code. And ah, remembering that who will add new users is the administrator, because it has all the privileges.

1 answer

5


You can decorate the Controllers or/and Methods with a Attribute of Authorization.

Example

Create a class like this by making inheritance with Filterattribute and implementing Iauthorizationfilter:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class PermissionAttribute : FilterAttribute, IAuthorizationFilter 
{
    public string Roles { get; set; }
    public PermissionAttribute(String Roles)
    {
        this.Roles = Roles;
    }
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
        {
            if (filterContext.RequestContext.HttpContext.Session[".PermissionCookie"] != null)
            {
                String[] ItemSession = filterContext.RequestContext.HttpContext.Session[".PermissionCookie"].ToString().Split(',');
                if (ItemSession != null)
                {
                    String[] ItemRoles = Roles.Split(',');
                    int i = 0;
                    int j = 0;
                    bool f = false;
                    while (i < ItemRoles.Count() && !f)
                    {
                        j = 0;
                        while (j < ItemSession.Count() && !f)
                        {
                            if (ItemRoles[i] == ItemSession[j])
                            {
                                f = true;
                            }
                            j++;
                        }
                        i++;
                    }
                    if (f == false)
                    {
                        FormsAuthentication.SignOut();
                        filterContext.Result = new HttpUnauthorizedResult("Sem permissão");
                    }
                }
            }
        }
        else
        {
            filterContext.Result = new HttpUnauthorizedResult("Sem permissão");
        }
    }    
}

In Controllers you decorate them so:

[PermissionAttribute("Administrador,Aluno")]
public class CreditosController : Controller

[PermissionAttribute("Administrador")]
public class UsuariosController : Controller

By Method

[PermissionAttribute("Administrador")]
public ActionResult UsuariosView(){
}

This is the conference part of the rule, and the user login should have a routine similar to this (everything will depend on your business rules):

FormsAuthentication.SetAuthCookie(login.UserName, User.Remember);
Session.Add(".PermissionCookie", "Administrador"); 
// ou Session.Add(".PermissionCookie", "Administrador,Aluno"); 
// ou Session.Add(".PermissionCookie", "Aluno"); 
return RedirectToAction("Index", "Administrativo");

In this case it is being stored in Session .PermissionCookie, but, you can save in Cookie or Bank all this depending on your rule!

References:

  • Great approach. Just missed in the code of Permission put this comment here: //faça aqui de acordo com sua regra de negócio!

  • @Ciganomorrisonmendez, you removed some things that don’t check, PermissionAttribute is like this, follows the name of the class, which was created by me, and it has no Alias.

  • So, but that’s because you had the spelling mistake I fixed before. From Atrribute (with two 'r') to Attribute. The Framework understands that it is an attribute, so the word can be simply removed.

  • @Ciganomorrisonmendez, was made with that name! so I posted so and ratifying did not do the alias, could, as it is in my systems, I thought it best to do so so so that the user understands that such a class is a Attribute, and make correlation, the worst is that you changed in the Methods and Actionresult and left the class with the same name can then give confusion to new users who can see this code, and then wonder why such error already seen that has no alias!!!

  • Good, then ok. I had imagined that I was wrong, but if so, no problem. Sorry for the inconvenience.

  • No inconvenience @Ciganomorrisonmendez, I’m just explaining, hope you understand!

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.