• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 796
  • Last Modified:

Creating an administrators only partition in asp.net MVC app without using membership provider

I want to partition off an admin area in my MVC app however I am not using membership provider just forms authentication.

I have my own user and roles table and each user is assigned a role.   I can check through the app for each users role
Eg.   If user.role = “admin” then ………and so on

I have created an Admin folder for my views and setup routing in global.asax (see code).
What would I need to do now?

Say I have a “UserController” that deals with managing users; only admins can access this so would I do this?

I can set the  [Authorize] attribute on each action method but as I am not using membership I am unsure if I can do anything else.





routes.MapRoute(
                "DefaultAdmin",                                         // Route name
                "admin/{controller}/{action}/{id}",                    // URL with parameters
                new { controller = "Admin", action = "Index", id = "" } // Parameter defaults
            );

Open in new window

0
ToString1
Asked:
ToString1
  • 2
  • 2
1 Solution
 
jamesbaileCommented:
Is there any reason why you are not using a membership provider? If you have your own schema then you can always create your own provider which will make the management of the whole site a lot easier.
0
 
ToString1Author Commented:
HI Yes
It was probably a mistake not to use membership provider but it is late in the project so I need a fix.



0
 
jamesbaileCommented:
If you can't create your own membership provider then presumably you are handling the logging in, in your code, in which case you will need to make sure that you add the roles that the user is authorised for to the security principle when you authenticate. Then you will be able to use the [Authorize] attribute on your controllers.
0
 
ToString1Author Commented:
HI Yes

I am using the [Authorize]  attribute on my controllers and that works fine.

In code I can do

If user.role = “admin” ......

However I cannot add this to the [Authorize] attribute ?  
[Authorize roles="admin"]  because I am not using membership provider.

I need an approach were everything within the admin folder is only accessed by admin roles

So if I try to access an views/admin/index
Then I check

If user.role = “admin”
//if they are then OK but if not

redirect to "not authorised" ?

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now