ASP.NET MVC Authorize user with many roles
Solution 1
As the question states, when multiple roles are given in a single Authorize()
call they are applied such that if the user belongs to any of the roles listed they will be granted access; like a logical OR
operator.
Alternatively, to achieve the effect of a logical AND
operator you can apply the Authorize
attribute multiple times. Eg..
[Authorize(Roles = "Producer")]
[Authorize(Roles = "Editor")]
public ActionResult Details(int id) {
// Only available to users who are Producers AND Editors
}
For the example above, the action body is accessible only to users who belong to the Producer
and the Editor
roles.
Rudi points out in the comments this lets you create some reasonably complex access rules without needing to implement a custom AuthorizeAttribute
. For example, in the code below users can execute the action if they are both: a) in the Enabled
role and b) in either the Editor
or Admin
roles.
[Authorize(Roles = "Enabled")]
[Authorize(Roles = "Editor,Admin")]
public ActionResult Details(int id) {
// Only available to users who are Enabled AND either an Admin OR an Editor
}
I'm not sure which version brought this in but it works in at least MVC 4 and 5.
Solution 2
You should do your custom AuthorizeAttribute
public class AuthorizeMultipleAttribute : AuthorizeAttribute
{
//Authorize multiple roles
public string MultipleRoles { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var isAuthorized = base.AuthorizeCore(httpContext);
if (!isAuthorized)
{
return false;
}
//Logic here
//Note: Make a split on MultipleRoles, by ','
//User is in both roles => return true, else return false
}
}
DEMO :
[AuthorizeMultiple(MultipleRoles ="Role1,Role2")]
public class UserController{
}
Related videos on Youtube
Herno
I am currenty working as a software developer in many projects involving different technologies and platforms like PHP, .NET, ASP.NET, Java, Mobile, SQL Server, MySql etc.
Updated on July 05, 2022Comments
-
Herno almost 2 years
I need to authorize a Controller in my ASP.NET MVC application to users which have two roles. I am using Authorize attribute like this:
[Authorize(Roles = "Producer, Editor")]
But this allows Producers and Editors to the controller. I want only to allow users having both roles, not just one of them.
How could i achive this?
-
Tom Chantler almost 10 yearspossible duplicate of Using MVC's AuthorizeAttribute with multiple groups of Roles?
-
Worthy7 almost 8 yearsJust so you know the reason this is happening is because you have a design flaw. I'm not sure about your context but just think about it carefully. There is some action which can be taken. You want that action to only be taken by someone who is both a producer and an editor. I cannot possibly imagine what that is. What I suggest you do, is make a new special role (Administrator?) or if this seems dumb, then I'd like to know the context (What is the action you are trying to achieve?)
-
-
Rudi Visser over 8 yearsThis is a much better solution, and also allows for more complex scenarios such as
[Authorize(Roles = "EitherThis,OrThis")][Authorize(Roles="ButAlwaysThis")]