Securing controller action in ASP.NET MVC

Question

In ASP.NET MVC 2, to secure controller action, i have created a class RequirePermission inherited from ActionFilterAttribute class. The controller action looks like

[RequirePermission(permissions="CanView")]

    public ActionResult List()
    {
       ...
    }

I have an enum with name Permissions

public enum Permissions { CanDoEdit, CanView, CanInsert }

The RequirePermission class looks like

public class RequirePermission : ActionFilterAttribute
    {
        public string permissions;
        string[] param = { "," };
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {

            string[] requirePermissions = permissions.Split(param, StringSplitOptions.RemoveEmptyEntries);


           if (requirePermissions.Contains(Permissions.CanDoEdit.ToString()))
           {
                     //Check permission 
           }
           if (requirePermissions.Contains(Permissions.CanView.ToString()))
           {
                     //Check permission 
           }
           if (requirePermissions.Contains(Permissions.CanInsert.ToString()))
           {
                    //Check permission 
           }
        }
    }

Now instead of making different attributes , I want to use RequirePermission attribute like [RequirePermission(permissions=Permissions.CanView+","+Permissions.CanEdit)] so that i can use it for different scenerious. but the compiler throw the following error.

An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type

Darin Dimitrov · Accepted Answer · 2010-02-02 12:01:18Z

4

How about:

[Flags]
public enum Permissions 
{ 
    CanDoEdit = 1 << 0, 
    CanView = 1 << 1,
    CanInsert = 1 << 2
}

And then:

[RequirePermission(permissions = Permissions.CanView & Permissions.CanEdit)]

And finally to verify that CanView is set:

if ((requirePermissions & Permissions.CanView) == Permissions.CanView)
{
    // The user has CanView permission
}

edited Feb 2, 2010 at 12:01

answered Feb 2, 2010 at 11:17

Darin Dimitrov

1.0m275 gold badges3.3k silver badges3k bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

Darin Dimitrov Over a year ago

Actually I made a mistake by using Permissions.CanView | Permissions.CanEdit. I think it should be Permissions.CanView & Permissions.CanEdit to express that a user has both permissions.

Adeel Over a year ago

i think you are wrong. To set both permissions, use Permissions.CanView | Permissions.CanEdit. But to avoid overwriting the enum values, i have set the values in pover of 2.

Collectives™ on Stack Overflow

Securing controller action in ASP.NET MVC

1 Answer 1

2 Comments

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

2 Comments

Related