I have an asp.net MVC 3 system which different actions have different permissions.
All the permissions are managed using attributes that defines the required user permission.
I would also like to remove any buttons (or links) that the user is not permitted to click on.
Is there any way to do so without doing a lot of if-s in my views ?
Thanks.
Is there any way to do so without doing a lot of if-s in my views ?
You could write custom HTML helpers that will generate those buttons. For example:
#Html.Button("button text", "role1,role2");
The custom helper will check whether the current user posses one of the required roles and only in this case generate the corresponding button.
For example:
public static class HtmlExtensions
{
public static IHtmlString Button(this HtmlHelper htmlHelper, string buttonText, string roles)
{
var rolesSplit = (roles ?? string.Empty).Split(',');
var user = htmlHelper.ViewContext.HttpContext.User;
if (!user.Identity.IsAuthenticated || !rolesSplit.Any(user.IsInRole))
{
return MvcHtmlString.Empty;
}
var button = new TagBuilder("button");
button.SetInnerText(buttonText);
return new HtmlString(button.ToString());
}
}
Related
I am building a rather simple site with ASP.NET Core MVC 2.0 that is more or less an image gallery, just for me. I am not using any database so far. It is just a json file with metadata and the image files itself.
Now this site is supposed to get a hidden admin page where I (and only I) can upload new pictures.
What would be a simple but still secure way to add this admin page without having to introduce a full fledged user management to the site? I'd like to avoid to add a database and entity framework etc. to the site - there will only be one user.
In other words, what is a secure and simple way to add user management where there are is only one user that authenticates: Me, the admin.
Store a hashed version of your desired username/password in the appsettings.json and then rehash the values provided through the login screen and compare them.
Here's an example of how logging in could be accomplished. This bootstraps off of the default hasher present in Asp.Net Identity but you could use any hashing function.
You might want to create some other helpers too in case you want to reset the hashed password from your application versus having to go into the settings file.
appsettings.json
{
...
"LoginCredentials": {
"UsernameHash": "AQAAAAEAACcQAAAAENmv+riLvtTIa5wafXxzEX4rMSMXwVzG00q4jZKBI7Lx/oe2PFdqW1r521HBsL567g==",
"PasswordHash": "AQAAAAEAACcQAAAAEKwwppiixEQM9QO7hOXcoXXgIvHKs9QHRz1k0lAZ3noVwID2lv+I+Dwc9OheqDGFBA=="
}
}
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
//Assuming services.AddIdentity<...>(...) is not added as a service
services.Configure<LoginCredentialOptions>(Configuration.GetSection("LoginCredentials"));
services.AddTransient<IPasswordHasher<User>, PasswordHasher<User>>();
...
}
LoginCredentialOptions.cs
public class LoginCredentialOptions
{
public string UsernameHash { get; set; }
public string PasswordHash { get; set; }
}
AccountController.cs
...
public async Task<IActionResult> Login([FromServices] IOptions<LoginCredentialOptions> loginCreds, LoginViewModel model, string returnUrl = null)
{
if (ModelState.IsValid)
{
var passwordResult = passwordHasher.VerifyHashedPassword(null, loginCreds.Value.PasswordHash, model.Password);
var usernameResult = passwordHasher.VerifyHashedPassword(null, loginCreds.Value.UsernameHash, model.Username);
if (passwordResult == PasswordVerificationResult.Success &&
usernameResult == PasswordVerificationResult.Success)
{
//Create identity cookie and sign in
RedirectToAction(nameof(Index), "Home");
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
I am trying to implement MVVM pattern in my xamarin mobile project.
I have following files for MVVM
LoginView
LoginViewModel
BaseViewModel
Following is my LoginViewModel
public class LoginViewModel : BaseViewModel
{
private bool isLoginIndicator= false;
private string etUserName;
private string etPassword;
public LoginViewModel()
{
OnLogin = new Command(doLogin , ()=>!LoginIndicator);
MessagingCenter.Subscribe<IMessage, EventType>(this, RestApi.UI_EVENT, (sender, eventType) =>
{
LoginIndicator = false;
if (eventType.status)
{
Application.Current.MainPage.DisplayAlert(AppResources.success, "Login done", "Ok");
}
else
{
Application.Current.MainPage.DisplayAlert(AppResources.failed, eventType.errorMessage, "Ok");
}
});
}
public bool LoginIndicator
{
get { return isLoginIndicator; }
set
{
isLoginIndicator = value;
OnPropertyChanged("LoginIndicator");
OnLogin.ChangeCanExecute();
}
}
public string UserName
{
get { return etUserName; }
set
{
etUserName = value;
OnPropertyChanged("UserName");
}
}
public string Password
{
get { return etPassword; }
set
{
etPassword = value;
OnPropertyChanged("Password");
}
}
public Command OnLogin { get; }
void doLogin()
{
LoginIndicator = true;
UserRequest user = new UserRequest();
user.userName = etUserName;
user.password = etPassword;
user.companyId = "CEE";
user.appVersion = Constants.getAppVersion();
user.osVersion = Constants.getOSVersion();
user.deviceId = Constants.getDeviceModel() + " " + Constants.getDevicePlatform();
new RestApi().userLogin(JsonConvert.SerializeObject(user));
}
}
This class usually makes a webservice call when OnLogin command gets fired from Button and broadcast the Message using MessageCenter
Now i want to navigate to my MainPage which is master page once the user is logged in successfully hence i need to navigate to master page when eventType.status is true inside the Message Subscriber
but i don't know how can i properly navigate to other pages according to MVVM pattern.
i tried to search on net and i found there are ready made frameworks available like MVVMCross and MVVMLight etc. But i do not want to use those dependecies and willing to implement navigation some other way if anyone can suggest
MVVM says nothing about navigation, so basically every option will be fine.
The only thing against code like:
Application.Current.MainPage = new MyFirstPageAfterLogin();
Is that you now have a reference to a page from your ViewModel, which should not be what you want. That is why MVVM frameworks tend to implement a concept called ViewModel-to-ViewModelnavigation. With that, you can specify a ViewModel that you want to navigate to. Depending on the framework (or how they implemented it), they have you register a coupling first or use a naming convention. For instance; I like to use FreshMvvm, which does this by naming convention.
So when I want to navigate to the PageAfterLoginPage, I create a PageAfterLoginPageModel. From my ViewModel (or PageModel in Xamarin naming) I can now navigate to the PageModel, instead of making a hard reference to the page. This way, Page and PageModel are separated and I can easily swap out the View if I wanted to.
So, either use an already existing framework, or peek into their Github repo to see how they do it if you insist on doing it yourself.
With the latest tools do a File / New Project / CrossPlatform / Master-Detail. The master-detail template is all MVVM, without using any 3rd party frameworks. There are permutatations of native and forms. Great for learning and exploring.
Healy in Tampa.
What I have is the following extension method:
public MyCustomAttribute[] GetActionAttributes(
this Controller #this,
string action,
string controller,
string area,
string method)
{
}
How does ASP.NET MVC 3 find the action method, given the area, controller, action names and the method (GET, POST)?
To this moment I have nothing... no clues on how to do this.
I am currently looking for the stack trace inside a controller action, to find out how MVC dicovered it.
Why I need these attributes
My attributes contain information about whether a given user can or not access it... but depending on whether they can or not access it, I wan't to show or hide some html fields, links, and other things that could call that action.
Other uses
I have thought of using this to place an attribute over an action, that tells the css class of the link that will be rendered to call it... and some other UI hints... and then build an HtmlHelper that will render that link, looking at these attributes.
Not a duplicate
Yes, some will say this is possibly a duplicate of this question...
that does not have the answer I want:
How can i get the MethodInfo of the controller action that will get called given a request?
That's why I have specified the circumstances of my question.
I have looked inside MVC 3 source code, and tested with MVC 4, and discovered how to do it.
I have tagged the question wrong... it is not for MVC 3, I am using MVC 4. Though, as I could find a solution looking at MVC 3 code, then it may work with MVC 3 too.
At the end... I hope this is worth 5 hours of exploration, with a lot trials and errors.
Works with
MVC 3 (I think)
MVC 4 (tested)
Drawbacks of my solution
Unfortunately, this solution is quite complex, and dependent on things that I don't like very much:
static object ControllerBuilder.Current (very bad for unit testing)
a lot of classes from MVC (high coupling is always bad)
not universal (it works with MVC 3 default objects, but may not work with other implementations derived from MVC... e.g. derived MvcHandler, custom IControllerFactory, and so on ...)
internals dependency (depends on specific aspects of MVC 3, (MVC 4 behaves like this too) may be MVC 5 is different... e.g. I know that RouteData object is not used to find the controller type, so I simply use stub RouteData objects)
mocks of complex objects to pass data (I needed to mock HttpContextWrapper and HttpRequestWrapper in order to set the http method to be POST or GET... these pretty simple values comes from complex objects (oh god! =\ ))
The code
public static Attribute[] GetAttributes(
this Controller #this,
string action = null,
string controller = null,
string method = "GET")
{
var actionName = action
?? #this.RouteData.GetRequiredString("action");
var controllerName = controller
?? #this.RouteData.GetRequiredString("controller");
var controllerFactory = ControllerBuilder.Current
.GetControllerFactory();
var controllerContext = #this.ControllerContext;
var otherController = (ControllerBase)controllerFactory
.CreateController(
new RequestContext(controllerContext.HttpContext, new RouteData()),
controllerName);
var controllerDescriptor = new ReflectedControllerDescriptor(
otherController.GetType());
var controllerContext2 = new ControllerContext(
new MockHttpContextWrapper(
controllerContext.HttpContext.ApplicationInstance.Context,
method),
new RouteData(),
otherController);
var actionDescriptor = controllerDescriptor
.FindAction(controllerContext2, actionName);
var attributes = actionDescriptor.GetCustomAttributes(true)
.Cast<Attribute>()
.ToArray();
return attributes;
}
EDIT
Forgot the mocked classes
class MockHttpContextWrapper : HttpContextWrapper
{
public MockHttpContextWrapper(HttpContext httpContext, string method)
: base(httpContext)
{
this.request = new MockHttpRequestWrapper(httpContext.Request, method);
}
private readonly HttpRequestBase request;
public override HttpRequestBase Request
{
get { return request; }
}
class MockHttpRequestWrapper : HttpRequestWrapper
{
public MockHttpRequestWrapper(HttpRequest httpRequest, string httpMethod)
: base(httpRequest)
{
this.httpMethod = httpMethod;
}
private readonly string httpMethod;
public override string HttpMethod
{
get { return httpMethod; }
}
}
}
Hope all of this helps someone...
Happy coding for everybody!
You can achieve this functionality by using the AuthorizeAttribute. You can get the Controller and Action name in OnAuthorization method. PLease find sample code below.
public sealed class AuthorizationFilterAttribute : AuthorizeAttribute
{
/// <summary>
/// Use for validate user permission and when it also validate user session is active.
/// </summary>
/// <param name="filterContext">Filter Context.</param>
public override void OnAuthorization(AuthorizationContext filterContext)
{
string actionName = filterContext.ActionDescriptor.ActionName;
string controller = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
if (!IsUserHasPermission(controller, actionName))
{
// Do your required opeation
}
}
}
if you have a default route configured like
routes.MapRoute(
"Area",
"",
new { area = "MyArea", controller = "Home", action = "MyAction" }
);
you can get the route information inside the controller action like
ht tp://localhost/Admin
will give you
public ActionResult MyAction(string area, string controller, string action)
{
//area=Admin
//controller=Home
//action=MyAction
//also you can use RouteValues to get the route information
}
here is a great blog post and a utility by Phil Haack RouteDebugger 2.0
This is a short notice! Be sure to use filterContext.RouteData.DataTokens["area"]; instead of filterContext.RouteData.Values["area"];
Good Luck.
For our web app I want to let developers create accounts using our api, when an account is created the URI has a subdomain. To accomplish this, do I have to have two separate API's because the URL is different.
For account creation: api.example.com/v1
For account usage: subdomain.example.com/api/v1/
we are using .net mvc3, can this be done with one set of api's and routes?
You should set up routing to get to the relevant controller+action as usual, and inside an action (or much better - using an ActionFilter), examine the subdomain and set the appropriate code that determines the who the user is, for further handling.
Example of a filter would be:
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
public class SubdomainFilter : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
int? userID = null;
Uri uri = filterContext.HttpContext.Request.Url;
if (uri != null)
{
string domain = uri.Host;
// do whatever you need analyzing the 'domain' variable... like getting the user id according to the subdomain. Let's say we discoveered that the user id is 1.
userID = 1;
}
if (filterContext.ActionParameters.ContainsKey("Subdomain"))
filterContext.ActionParameters["SubdomainUser"] = userID;
base.OnActionExecuting(filterContext);
}
}
and then your action would be:
[SubdomainFilter]
public virtual ActionResult GetUserName(int? userID)
{
...
}
I have an MVC 3 C# / ADO.NET / Dynamic Data app set up and working(ish). To set it up I created an MVC 3 app, added the Dynamic Data components in, split out Presentation, Business and Data in to three projects, set the references to match the MVC pattern and set up the routes and scaffolding.
List, Edit and Insert all work with the standard DD page templates, however I've hit a wall getting the Presentation Layer to apply data type attributes to the data displayed in Gridview and Details views, particularly for URLs, which I want be typed as DataType.Url and so use the associated DD display attributes.
Have tried setting up a meta data class for the Link table and applying something like:
[DataType(DataType.Url)]
public object URL {get; set;}
(the Url field in table "Link" is "URL")
.. within a partial class, which is something I read about for pure DD sites.
Can anyone point me in the right direction, or tell me if is this even possible?
Many Thanks.
Yes this is possible. I would write a custom FieldTemplate for Urls. Using the UIHint metadata, you can assign a custom fieldtemplate to the column. Something like this (untested):
public partial class FooUrl : System.Web.DynamicData.FieldTemplateUserControl
{
string getUrl()
{
var metadata = MetadataAttributes.OfType<DataTypeAttribute>().FirstOrDefault();
if (metadata == null)
return FieldValueString;
switch (metadata.DataType)
{
case DataType.Url:
string url = FieldValueString;
if (url.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
url.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
return url;
return "http://" + FieldValueString;
case DataType.EmailAddress:
return "mailto:" + FieldValueString;
default:
throw new Exception("Unknown DataType");
}
}
protected override void OnDataBinding(EventArgs e)
{
HyperLinkUrl.NavigateUrl = getUrl();
}
public override Control DataControl
{
get
{
return HyperLinkUrl;
}
}
}
}
I hope this helps.