0

I've created a small project for a fictitious private jet hire company. Here are my relevant project files: https://gist.github.com/anonymous/74d72f7b4c3c37257d16

Within this project, I have a database (under my App_data solution folder) named MyMainDB.mdf. When double clicked, it sends me to the Server Explorer which contains another file called MyMainDBEntities, this contains my tables etc (where the SystemUsers table is held).

I have the register/ log in feature fully implemented and working. I can also display the entire list of users and edit that list remotely from the website when running the solution however, how do I limit access to the AdminIndex view to only a user that is both logged in and logged in as admin@admin.com?

At the moment, once the solution is running, the user is simply allowed to navigate to the following URL: http://localhost:1921/MyTemplate/AdminIndex without any restriction. What do I need to add in terms of code in order to restrict access to the page if you're not logged in as an admin? Would anyone be able to show me an example of how I can do this? Once I know how to do this I can apply this knowledge to other key aspects of my project

  • 1
    "How to implement authorization" is too broad. Use Identity and the Authorize attribute, don't roll your own. – CodeCaster Apr 08 '15 at 08:13
  • 2
    @CodeCaster Would you be able to give me an example of how this looks like/ works? –  Apr 08 '15 at 08:14
  • Authentication and Authorization are two attribute in which Authentication will check that user is logged in or not and Authorization will check user has specific rights to view specific page. Other approach is create customAttribute in which it has both functionality. Please read about Authentication and Authorization first then you can able to understand this properly. – Jinesh Jain Apr 08 '15 at 08:15
  • http://www.asp.net/identity – CodeCaster Apr 08 '15 at 08:16

1 Answers1

0

Assuming MyTemplate is your Controller you can add [authorize] attribute to you controller as below

Note: You can set it to controller level or action level

[Authorize]
public class MyTemplateController : Controller //Controller level

OR

[Authorize]
public ActionResult AdminIndex() //From the link mentioned above
{
    return View(ss.SystemUsers.ToList());
}

In your web.config add this

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

and your Login Post Action method use FormsAuthentication.SetAuthCookie as below:

[HttpPost]
public ActionResult Login(LoginModel model, string returnUrl)
{
    // Lets first check if the Model is valid or not
    if (ModelState.IsValid)
    {

            // User found in the database
            if (model.IsValid(model.Email, model.Password )) //According to the design you have in the link given above
            {
                FormsAuthentication.SetAuthCookie(username, false);
                if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
                    && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
                {
                    return Redirect(returnUrl);
                }
                else
                {
                    return RedirectToAction("Index", "Home");
                }
            }
            else
            {
                ModelState.AddModelError("", "The user name or password provided is incorrect.");
            }

    }

    // If we got this far, something failed, redisplay form
    return View(model);
}

That will do the work.

For more information visit this link

Guruprasad J Rao
  • 29,410
  • 14
  • 101
  • 200
  • Hi, thanks for the reply. Is there a specific place where I need to place my authentication tag (within the `web.config` file)? –  Apr 08 '15 at 08:58
  • Yea. Keep it under `` – Guruprasad J Rao Apr 08 '15 at 09:00
  • I get an interesting error that occurs: http://gyazo.com/15d16cd2c7f0d6a879a8bb801d797806 –  Apr 08 '15 at 09:06
  • You might have defined more than one `web.config` file. Please check **[this link](http://stackoverflow.com/questions/9300927/error-to-use-a-section-registered-as-allowdefinition-machinetoapplication-beyo)** for more information – Guruprasad J Rao Apr 08 '15 at 09:11
  • 1
    You are correct! Thanks! You have helped a lot :) I really appreciate it. Fantastic answer –  Apr 08 '15 at 09:19
  • 1
    Just to iterate the solution to work perfectly, I added `[Authorize(Users = "admin@admin.com")]` just above `ActionResult AdminIndex()` in order to specifically allow the user admin@admin.com to view the AdminIndex page :) –  Apr 08 '15 at 09:24
  • Yea.. You have that overload option for authorize attribute.. Glad it helped... Happy coding.. :) – Guruprasad J Rao Apr 08 '15 at 09:25