Recently I developed a strategy which I think works well for authorizing access to user groups (Roles) without using the string names of those groups.
The problem I am trying to avoid is doing something like [Authorize(Roles=”AdminRole”)] on a controller or action since I know the role names can change & one typo can mess everything up.
So first of all I usually have a static class which has the names & aliases for all roles in case they change:
This is pretty standard for me, but unfortunately I can’t just do [Authorize(Roles=RolesNames.Admin)] because attributes requires constant expressions. So as a solution I came up with the idea of creating a custom attribute which will tightly control access based on specific role criteria.
Creating a Custom Authorize Attribute
When creating the custom authorize attribute I inherit from AuthorizeAttribute since it already contains most of the logic I need. All I need to do is set the Roles property in the constructor to a comma delimited list of the authorized roles, and the authorize attribute base class will take care of the rest.
For example – to restrict access to just the admin role:
Or if you want to include the project admins as well:
Then on your controller you restrict access like this
And it also works on an action