I have to display the buttons in the view based on the roles, let's say I have roles like admin user and default user wherein admin user will be able to see the delete, modify and add buttons but default user can only search. Currently, when a user logs in I am capturing the userid and sending the userid to the database to get the role of a user and I am storing those roles in session. In the view retrieving the role value using below code
#if (Session["UserRole"].ToString() == "Admin")
{
//show delete,modify and create buttons
}
but in my production, the code will be hosted on multiple servers and request can go to any of the servers.
My question is it a good practice to store the roles in the session, is there any better approach to solve my requirement. If I am going with the session in the production environment where there will be multiple servers will the session approach works?
You can have some performance problems with this solution, so I recommend to get the role in the action method and storage this in a ViewData.
But I think that the best solution is to create a partial view with this and in the method an authorize tag.
Related
I have created a multi auth application using guards and create a three login and register pages for users, admins, managers. I have a different users table for every userstrong text. I just need one login and register page for three type of users. How I should do that??
You could do something like:
if (! Auth::guard('user')->attempt($request->only('email', 'password'), $request->boolean('remember'))) {
// Logged in as user
}
if (! Auth::guard('admin')->attempt($request->only('email', 'password'), $request->boolean('remember'))) {
// Logged in as admin
}
...
But, you probably don't need different auth guards and a table for each type of user. Instead, the better approach here IMHO would be to use a single users table, and a single auth guard, but then use something like a permissions/roles system (example: spatie/laravel-permission) to differentiate between the user types.
This way you can just have one way to log in. You can split the login form or you can use the same form for all roles. Based on their role you can redirect them to another page where they can see their actions. For example, a separate admin dashboard. You can use different login URLs of course where you only allow users to log in with a certain role. This is a small adaption to the current login flow by just checking on the role as well. You can even create your own controller for it if needed.
You can always use middleware or permission based on the current role of the user to determine where they can go or what they can see.
Multi auth always makes it more complex, while in your case you just have users that log in but have different permissions.
I want to implement Role based authorization in mvc 5, i am using asp.net identity 2.0 for user authentication.
Please suggest how to implement this by using authorize attribute or any other possible way.
I also want to store user rights after login and do not want to fetch again and again from database while authorizing on controller action. (Don't want to use Session).
[![Role Permissions stored in DB][1]][1]
I probably am not understanding the depth of your question, but I see that your Authorize statement is slightly incorrect.
Try [Authorize(Roles="admin")]
It uses Microsoft.AspNetCore.Authorization;
There's also a Policy Based Authorization. [Authorize(Policy = "Seniors")]
I also found an answer here that may be of interest to you, it speaks of customizing Role Permissions:create custom authorize attribute
The trick will be to assign the User a role, then use the 'Authorize' on the action methods or on the page, or even in the view HTML by testing if the user IsInRole like:
#if(User.IsInRole"admin"){ Add HTML Here }
And if you do use 'Roles', remember that you can add multiple roles to the 'Authorize' tag something like [Authorize(Roles="admin, staff, user")] etc.
I created a multi-tenant application where each tenant have different set of users. I am trying to implement a functionality where same user might exist in different tenants. Does outsystems provide such functionality or I have to create my custom logic ?
Right now, I did create a user having same username in 2 different tenants and during login I am showing user to select tenants. But on changing tenants and logging to that tenant, the environment doesn't switch to that tenant that user has selected.
Below is the image of the logic of switching tenants and logging in the customer.
During debugging I saw that after executing TenantSwitch action it did change the Site.TenantID property but after User_Login action is reverted to the first tenant not the one user selected.
When you use User_Login(), the system will log you in the first Tenant it finds in the DB that has that username, thus ignoring your TenantSwitch().
So, if you want to login to a specific Tenant in your case, you need to be more explicit and instead use the Login() action - after the tenant switch.
For a thorough explanation of this, with example code, please check out the following deepdive Master Class on Multi-Tenancy starting around the 27:20 minute mark.
This isn't available out of the box as OutSystems assigns users (and all entities) to a specific tenant. Entities belonging to single tenanted modules are assigned to the default tenant.
OutSystems uses a hidden .Tenant_Id attribute on each entity to indicate which tenant that user belongs to. You can unhide this attribute for the users entity by selecting it, clicking More... and then ticking the relevant box in the Advanced tab. You can then access the attribute directly, but be aware this will hinder OutSystems' ability to do some of the stuff it does automatically to ensure that you access tenant specific data.
When you use the User_Login action OutSystems will deduce which tenant to use from the User.Tenant_Id attribute regardless of which tenant you've switched it to previously. The user would need an account for each tenant they need to use, but there's no reason this couldn't be done behind the scenes with OS fetching the correct username before logging in. You'd need to ensure they all stay in sync though, especially the passwords ofc.
I plan to develop a system that has three user types (admin, business, personal). I want to have each user types information stored in a separate table for easy access and to reduce the number of blank fields (if they were all in one table).
Having looked at multiple Multi-auth packages available for Laravel, they all appear to be insisting on an approach with URLs like the following:
/admin/login
/business/login
/personal/login
Ideally, I would like to take an approach where the standard Laravel Auth /login can be used meaning that all users log in from the same page.
My knowledge of Laravel is limited so all and any help is appreciated.
The usual approach is to have one users table which has the ID/email/username (as primary key), login credentials and user types for all the users which will be logging into the system. The information however can be stored in separate tables for each type, referencing the foreign key.
After authenticating the user, then you can decide what to do with the user based on the user type.
If you store login credentials in multiple tables, that's data redundancy. Unless you want the same email/username to have more than one user type, but then during login, the user has to decide which user type they want to log into (maybe by selecting a dropdown option).
Update: about user roles
If you need to simply redirect users after logging in, use $redirectTo. Or if you need to decide what to do with the users depending on the roles after logging, you can make use of authenticated() method (add this method if it's not already there, it will overwrite the AuthenticatesUsers trait) inside your AuthController/LoginController.
Throughout your application, I'd suggest assigning middleware to route groups to restrict routes based on user roles. And yes, in your views and controllers you can use something like if(Auth::user()->hasRole('business')) when needed, but first you'll need to create the hasRole() method in your User model. If you feel it's getting complicated, you may try packages like laravel-permission and Entrust. I haven't tried them though :)
I have a site with a page that contains some tabs and when selecting one, its content is retrieved from the server using an AJAX call. Every tab is loaded through a different controller. For example, I have a Customer page which contains Products and Clients tabs.
The site has different types of users with different permission levels.
What I want to do is to protect the controllers, and show the content of the tabs only if the logged in user has permission. So if a user without permission enters the url of the controller, it should redirect to the login page. The url is like this:
http://localhost/MyApp/Products/1
where 1 is the database ID of the product.
I can implement these 2 solutions but none of them is optimal:
Use the ChildOnlyAction attribute. I would mark the actions of the Product controller with this attribute and render the tabs from the main view using RenderAction. But it would mean that all the tabs on the page would have to be rendered, which is not optimal because I only want to load the data when the user clicks on the tab.
On every request to the Product controller, I would make a database query using the ID of the record to check if the user has permission to access it. But this means that for every request I would have to run an extra query.
I'm wondering if there is a better approach to this.
Similar to what Romias has suggested. You can combine the Authorize meta-attribute with a custom IAuthorizationFilter filter.
When you implement the Authorize meta-attribute you specify a list of users or roles that should have permission to that action. This lacks the ability to use a database to specify which ID's a user should have access to.
It is this ID-to-User mapping where the IAuthorizationFilter comes in to play. In the filter you can check the current user against the database.
A sample IAuthorizationFilter and its usage can be found on the following page:
http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx
Have you tried using Authorize filter to decorate the controllers you want to protect?
[Authorize(Roles = "UserType1")]
You could also extend the Authorize filter to add your own logic.
Here you can see an example of extending Authorize filter: https://stackoverflow.com/a/428266/7720