Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>While I agree that generating urls based on permissions is probably not best practices, if you want to continue anyway you can find the actions and their attributes using these:</p> <p><strong>Retrieve 'Action' methods:</strong> This retrieves a collection of method infos because it is possible to have multiple Controller classes with the same name and multiple methods of the same name in particular with the use of areas. If you have to worry about this I'll leave the disambiguation up to you.</p> <pre><code>public static IEnumerable&lt;MethodInfo&gt; GetActions(string controller, string action) { return Assembly.GetExecutingAssembly().GetTypes() .Where(t =&gt;(t.Name == controller &amp;&amp; typeof(Controller).IsAssignableFrom(t))) .SelectMany( type =&gt; type.GetMethods(BindingFlags.Public | BindingFlags.Instance) .Where(a =&gt; a.Name == action &amp;&amp; a.ReturnType == typeof(ActionResult)) ); } </code></pre> <p><strong>Retrieve Permissions from MyAuthorizationAttributes:</strong> </p> <pre><code>public static MyAuthorizations GetMyAuthorizations(IEnumerable&lt;MethodInfo&gt; actions) { var myAuthorization = new MyAuthorizations(); foreach (var methodInfo in actions) { var authorizationAttributes = methodInfo .GetCustomAttributes(typeof (MyAuthorizationAttribute), false) .Cast&lt;MyAuthorizationAttribute&gt;(); foreach (var myAuthorizationAttribute in authorizationAttributes) { myAuthorization.Roles.Add(MyAuthorizationAttribute.Role); myAuthorization.Permissions.Add(MyAuthorizationAttribute.Permission); } } return myAuthorization; } public class MyAuthorizations { public MyAuthorizations() { Roles = new List&lt;string&gt;(); Permissions = new List&lt;string&gt;(); } public List&lt;string&gt; Roles { get; set; } public List&lt;string&gt; Permissions { get; set; } } </code></pre> <p><strong>Finally the AuthorizedAction extension:</strong> warning:If you do have more than one match for a given controller/action pair this will give the 'authorized' url if the user is authorized for any of them...</p> <pre><code>public static string AuthorizedAction(this UrlHelper url, string controller, string action) { var actions = GetActions(controller, action); var authorized = GetMyAuthorizations(actions); if(user.Roles.Any(userrole =&gt; authorized.Roles.Any(role =&gt; role == userrole)) || user.Permissions.Any(userPermission =&gt; authorized.Permissions.Any(permission =&gt; permission == userPermission))) { return url.Action(controller,action) } return string.empty; } </code></pre> <p><strong>A Note on Generating Urls Based on Permissions:</strong><br> I state this is <em>probably</em> not best practice because of many little things. Each may have their own level of relevance depending on your situation. </p> <ul> <li>Gives the impression of trying to achieve security through obscurity. <em>If I don't show them the url, they won't know it is there.</em></li> <li>If you are already checking permissions in other ways to control the rendering of the page (as it appears you are doing based on your comments elsewhere) this explicitly not writing the url out is pointless. <em>Better to not even call the Url.Action method.</em></li> <li>If you are not already controlling the rendering of the page according to the user's permissions, simply returning empty string for urls will leave a lot of broken or seemingly broken content on your pages. <em>Hey this button doesn't do anything when I press it!</em></li> <li>It can make testing and debugging more complicated: <em>Is the url not showing up because the permissions are not right, or is there another bug?</em></li> <li>The behavior of the AuthorizedAction method seems inconsistent. Returns a url sometimes, and an empty string other times.</li> </ul> <p><strong>Controlling Page Rendering Via Action Authorization attributes:</strong> Modify the <code>AuthorizedAction</code> method to be a <code>boolean</code>, then use the result of that to control page rendering. </p> <pre><code>public static bool AuthorizedAction(this HtmlHelper helper, string controller, string action) { var actions = GetActions(controller, action); var authorized = GetMyAuthorizations(actions); return user.Roles.Any(userrole =&gt; authorized.Roles.Any(role =&gt; role == userrole)) || user.Permissions.Any(userPermission =&gt; authorized.Permissions.Any(permission =&gt; permission == userPermission)) } </code></pre> <p>Then use this in your razor pages. </p> <pre><code>@if(Html.AuthorizedAction("User","Add")){ &lt;div id='add-user-section'&gt; If you see this, you have permission to add a user. &lt;form id='add-user-form' submit='@Url.Action("User","Add")'&gt; etc &lt;/form&gt; &lt;/div&gt; } else { &lt;some other content/&gt; } </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload