Good day! There is a gap in knowledge, I don’t know how to fill it in :( In general, there is an asp.net mvc project, there is an authorization filter on each controller method

[Authorize(Users = "user@mail.com")]

And there is a function that forms a string of allowed users in the form "user1@mail.com, user2@mail.com, user3@mail.com". Looks like this

 private string getAllowedUsers(string method) { }

How do I put this function in the filter so that I end up with something like

 [Authorize(Users = getAllowedUsers(method))]

In this form, it naturally does not work, it requires an object. How to?

    2 answers 2

    Option one - use roles:

     [Authorize(Roles = "...")]

    To do this, at the stage of user authentication, its roles are calculated in advance.

    Option two - inherit from the AuthorizeAttribute , redefine the AutorizeCore method - and write there any of your logic.

    • We have authorization through organization accounts, there are no roles - Sergey Tambovtsy
    • one
      And what prevents them from adding? .. In any case, I wrote two options. The second version of the role is not needed. - Pavel Mayorov

    Attributes can only use constant values. In ASP.NET MVC there is such a concept as user roles. In your case, it is advisable to use this functionality.

     [Authorize(Roles="admin")]

    It is also allowed to specify several roles and specific users:

     [Authorize(Roles="admin,user", Users="user1@mail.com")]

    Creating roles and users is as follows:

     var userManager = new ApplicationUserManager(new UserStore<ApplicationUser>(context)); var roleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(context)); // создаем две роли var role1 = new IdentityRole { Name = "admin" }; var role2 = new IdentityRole { Name = "user" }; // добавляем роли в бд roleManager.Create(role1); roleManager.Create(role2); // создаем пользователей var admin = new ApplicationUser { Email = "somemail@mail.ru", UserName = "somemail@mail.ru" }; string password = "ad46D_ewr3"; var result = userManager.Create(admin, password); // если создание пользователя прошло успешно if(result.Succeeded) { // добавляем для пользователя роль userManager.AddToRole(admin.Id, role1.Name); userManager.AddToRole(admin.Id, role2.Name); }

    Example from here: Working with roles in AspNet Identity

    • 600 users, and they will be authorized through Azure Active Directory. This option does not fit. - Sergey Tambovtsy
    • @ sergeitambovtsev opposite, role-based authorization with Active Directory is very convenient! - Pavel Mayorov
    • @PavelMayorov create roles first and then manually add all? very comfortable indeed. - Sergey Tambovtsy
    • @ sergeytambovtsev inside getAllowedUsers you also manually do - or do you already have some solution? So why not use it? - Pavel Mayorov
    • @PavelMayorov Imagine the situation that the method first had access to 2 groups of users, and now you need to give access to the third. I will not enter and manually add the name of the group to the attribute, there must be a way to substitute a string value there that was calculated during the operation of the application - Sergey Tambovtsy