3

I have an asp.net mvc application. All the pages are accessible in the asp.net mvc application only after authentication (Authorize attribute) except for the login page (Annonymous). In the login page we have Register link for the new users. How can I restrict the Register link to be accessible only for specific users or for specific roles.

We do not want everyone to use the Register page to create a user name and password.

How is this possible with ASP.NET MVC authorization. We are using the standard SQL Membership and role provider in the application.

Improve this question
3
  • Does it make sense? If you want to register new user, that means he doesn't have an account yet, so he is anonymous for you.. Commented Oct 3, 2012 at 10:10
  • Agreed. If an user is not registered he won't have access. But we only want to allow registration for specific users (may be based on user name). Commented Oct 3, 2012 at 13:58
  • 1
    What user name? If they aren't registered they haven't got a user name? Commented Mar 5, 2013 at 9:38

1 Answer 1

Reset to default
5

Making sure a user is logged in to gain access to a view

The easiest way to accomplish this is to use the Authorize attribute above a controller's action method. For instance, we only want to allow users to change thier password if they are already logged into the site. In order to prevent non-authorized users from reaching the change password view we can restrict access like this:

[Authorize]
public ActionResult ChangePassword()
{
    ViewData["PasswordLength"] = MembershipService.MinPasswordLength;
    return View();
}

You can also accomplish this manually by checking against the User object like this:

public ActionResult ChangePassword()

    {
        if (!User.Identity.IsAuthenticated)
            return RedirectToAction("LogOn", "Account");

        ViewData["PasswordLength"] = MembershipService.MinPasswordLength;
        return View();
    }


Making sure a user is in a particular role to gain access to a view

You may have some views which should only be accessable to users of a particular role. This can also be accomplished using the Authorize attribute like this:

[Authorize(Roles = "Administrator")]
public ActionResult Index()
{
    return View();
}

You can accomplish this in code as well using the following method:

public ActionResult Index()
{
    if (!User.IsInRole("Administrator"))
        return RedirectToAction("LogOn", "Account");

    return View();
}

reference: Using our Role and Membership Providers

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.