ASP.NET MVC Authorize user with many roles

c# asp.net asp.net-mvc security authorization

22,384

Solution 1

As the question states, when multiple roles are given in a single Authorize() call they are applied such that if the user belongs to any of the roles listed they will be granted access; like a logical OR operator.

Alternatively, to achieve the effect of a logical AND operator you can apply the Authorize attribute multiple times. Eg..

[Authorize(Roles = "Producer")]
[Authorize(Roles = "Editor")]
public ActionResult Details(int id) {
    // Only available to users who are Producers AND Editors
}

For the example above, the action body is accessible only to users who belong to the Producer and the Editor roles.

Rudi points out in the comments this lets you create some reasonably complex access rules without needing to implement a custom AuthorizeAttribute. For example, in the code below users can execute the action if they are both: a) in the Enabled role and b) in either the Editor or Admin roles.

[Authorize(Roles = "Enabled")]
[Authorize(Roles = "Editor,Admin")]
public ActionResult Details(int id) {
    // Only available to users who are Enabled AND either an Admin OR an Editor
}

I'm not sure which version brought this in but it works in at least MVC 4 and 5.

Solution 2

You should do your custom AuthorizeAttribute

public class AuthorizeMultipleAttribute : AuthorizeAttribute
{

   //Authorize multiple roles
   public string MultipleRoles { get; set; }

  protected override bool AuthorizeCore(HttpContextBase httpContext)
  {
      var isAuthorized = base.AuthorizeCore(httpContext);
      if (!isAuthorized)
      {                
        return false;
      }

      //Logic here
      //Note: Make a split on MultipleRoles, by ','
      //User is in both roles => return true, else return false
  }

}

DEMO :

[AuthorizeMultiple(MultipleRoles ="Role1,Role2")]
public class UserController{
}

22,384

Herno

I am currenty working as a software developer in many projects involving different technologies and platforms like PHP, .NET, ASP.NET, Java, Mobile, SQL Server, MySql etc.

Updated on July 05, 2022

Comments

Herno almost 2 years

I need to authorize a Controller in my ASP.NET MVC application to users which have two roles. I am using Authorize attribute like this:

[Authorize(Roles = "Producer, Editor")]

But this allows Producers and Editors to the controller. I want only to allow users having both roles, not just one of them.

How could i achive this?
- Tom Chantler almost 10 years
  
  possible duplicate of Using MVC's AuthorizeAttribute with multiple groups of Roles?
- Worthy7 almost 8 years
  
  Just so you know the reason this is happening is because you have a design flaw. I'm not sure about your context but just think about it carefully. There is some action which can be taken. You want that action to only be taken by someone who is both a producer and an editor. I cannot possibly imagine what that is. What I suggest you do, is make a new special role (Administrator?) or if this seems dumb, then I'd like to know the context (What is the action you are trying to achieve?)
Rudi Visser over 8 years

This is a much better solution, and also allows for more complex scenarios such as [Authorize(Roles = "EitherThis,OrThis")][Authorize(Roles="ButAlwaysThis")]