Computers, Programming, Technology, Music, Literature

Access Control through ASP.Net MVC Custom Action Filters

leave a comment »

 

A slightly different version of this article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/access-control-through-asp-net-mvc-custom-action-filters/

HttpModule being the gatekeeper ASP.Net, one level down is the Action Filters for ASP.Net MVC. While managing large scale applications, it would not always seem very rational to create new Controllers for every functionality sometimes. You may also want to restrict access to specific controllers or specific action methods, and if you worked it through you would end up with a code snipped like below. An if else condition everywhere you wanted access control.

        [HttpGet]
        public ActionResult CustomizeEmails()
        {
            if (Context.Login.IsAdministrator)
            {
                var viewModel = new CustomizeEmailViewModel();
                return View(viewModel);
            }
            else
            {
                return AccessDeniedView();
            }
        }

        [HttpGet]
        public ActionResult CustomizeUserHomePage()
        {
            if (Context.Login.IsAdministrator)
            {
                var viewModel = new CustomizeUserHomePageViewModel();
                return View(viewModel);
            }
            else
            {
                return AccessDeniedView();
            }
        }


Which is obviously redundant and does not reflect on code reusability principle. So you may choose to create a custom HttpModule for access control during the initial ASP.Net request pipeline, of if that is not a possible solution in your case (or like the one above in ASP.Net MVC), then you must be looking at building a custom action filter. Once you have that in place, you could decorate your required action methods with your access control custom filter, or the entire controller, or as a global action filter (post ASP.Net MVC 3) so that the action filter would get invoked on every controller in the application.

Below is the code snippet showing the bare minimal implementation of a custom action filter for access control. In case the current request does not come from an Administrator, then it redirects him to an AccessDenied action method in the CompanyController.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace WebClient.Filters
{
    public class AdminOnlyAction : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            //Cast the filterContext.Controller to the controller that has the access control information 
            //In my case it happened to be a BaseController
            var baseController = ((BaseController)filterContext.Controller);

            if (!baseController.Context.Login.IsAdministrator)
            {
                filterContext
                    .HttpContext
                    .Response
                    .RedirectToRoute(new { controller = "Company", action = "AccessDenied" });
            }

            base.OnActionExecuting(filterContext);
        }
    }
}

 

The if else statements in the first snippets would take a little more elegant, and neat form.

        [HttpGet]
        [AdminOnlyAction]
        public ActionResult CustomizeEmails()
        {
                var viewModel = new CustomizeEmailViewModel();
                return View(viewModel);
        }

        [HttpGet]
        [AdminOnlyAction]
        public ActionResult CustomizeUserHomePage()
        {
                var viewModel = new CustomizeUserHomePageViewModel();
                return View(viewModel);
        }


Thus you would have a simple, elegant, and powerful access control mechanism via a custom action filter. If you like this kind of cleanliness in non MVC projects, please take a look at POSTSHARP as well.

Advertisements

Written by gmaran23

March 12, 2014 at 8:11 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: