asp.net-mvc,security,claims-based-identity,asp.net-authorization , Users in Multiple Organizations with Different Roles


Users in Multiple Organizations with Different Roles

Question:

Tag: asp.net-mvc,security,claims-based-identity,asp.net-authorization

I'm fairly new to setting up security for websites and am having trouble finding the correct architecture/design/pattern/best practice for the type of authentication/authorization I am needing in a .NET MVC environment. I don't even know what to call it in order to do more research. Below is an example of what I need to implement. What is this called? (I don't think it's multi-tennant.)

Joe works inventory for a few stores in a Grocery Store chain. Joe is an Inventory Manager(can edit items) for Store A, but just an Inventory Clerk(only view items) for Store B and has no access to Store C.

So Joe should be able to access the ActionResult Edit in the InventoryController if he is trying to edit Store A, but should not be able to access the same ActionResult Edit if he is trying to edit Store B or C.

The straight-forward Identity or Claims based authorization isn't enough for this scenario (I don't think), but I don't know the "name" of the design I need in order to do further research. What is this design called?


Answer:

It's called object-level authorization (aka object-level security, aka fine-grained authorization, etc.). Basically, permissions are based on "ownership" of objects, or perhaps better put in this scenario, being owned by an object. You would need to set up a many-to-many relationship between stores and employees, with payload of a role/grant. For example:

public class StoreEmployee
{
    [Key, Column(Order = 1)]
    [ForeignKey("Store")]
    public int StoreId { get; set; }
    public virtual Store Store { get; set; }

    [Key, Column(Order = 2)]
    [ForeignKey("Employee")]
    public int EmployeeId { get; set; }
    public virtual Employee Employee { get; set; }

    public string Role { get; set; }
}

public class Store
{
    ...
    public virtual ICollection<StoreEmployee> Employees { get; set; }
}

public class Employee
{
    ...
    public virtual ICollection<StoreEmployee> Stores { get; set; }
}

With that, then you can use this relationship in your actions to verify whether a user has access:

if (!joe.Stores.Any(m => m.Store == storeA && m.Role == "Manager"))
{
    return new HttpUnauthorizedResult();
}

Here, I kept things simple by just making Role a string. You could use a enum, or even an actual class that would also be persisted in your database. Or you could tie into the existing roles for users in general. It's up to you. You might also prefer to turn that into a custom action filter.


Related:


How to format label in ASP.net chart control


c#,asp.net,asp.net-mvc,c#-4.0,reporting-services
I have created a column chart in asp.net. I am showing the date on x-axis. At the moment the date is shown as dd/mm/yyyy. All I need is to show the date as dd-mm-yy and ideally Weekday, dd-mm-yy e.g. Monday, 12-05-15. <asp:Chart ID="Chart1" runat="server" Height="400px" Width="900px" BorderWidth = "1"> <Series>...

How to hide columns in Kendo Grid when editing in a popup


asp.net-mvc,kendo-ui,kendo-grid,kendo-asp.net-mvc
I use Telerik Kendo Grid editing-inline. I want to hide certain columns when editing popup the number of columns....

MVC route attribute no controller


asp.net-mvc,asp.net-mvc-5,asp.net-mvc-routing
I'm building an intranet where I have the following home controller: [Route("{action=index}")] public class HomeController : Controller { public ActionResult Index() { return View(HomeModelBuilder.BuildHomeModel()); } public ActionResult FormsHome() { return View(HomeModelBuilder.BuildFormsHomeModel()); } } I'm trying to get my forms homepage to have a url of http://intranet/forms so I thought I...

How to get started with Visual studio 2012


c#,asp.net-mvc,asp.net-mvc-3,asp.net-mvc-4,visual-studio-2012
I want to create web application using Visual Studio 2012. The application should login into a website and report numerical findings on the UI. The language used will be Visual C#. I have loaded the application and selected on the menu: File> New > Projects. A window appears with multiple...

Code fails for decrypting without salt or iv in Java


java,security,encryption,aes,password-encryption
I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

File IO Close() method error in ASP.NET MVC 6


asp.net-mvc,asp.net-mvc-6
I am doing a simple file IO in MVC6. I have added System.IO NuGet package. However, it gives me compile time error. VS IDE doesn't show any red mark when I type the code. The Close() method also appears in intellisense. Please help! My Code StreamWriter writer = System.IO.File.CreateText("some_valid_path"); writer.WriteLine("test");...

devenv.exe hogs CPU when debugging


asp.net-mvc,visual-studio-2013
Short version: When I debug ASP.NET MVC apps in VS2013 and try to edit razor views or css files, the CPU usage of devenv.exe skyrockets to the point where VS becomes unresponsive. Browser link is turned off, yet this still happens. Restarting debugging doesn't help, restarting VS doesn't help, restarting...

Knockout JS Validation not working


javascript,asp.net-mvc,knockout.js
I am a newbie in Knockout JS. i want to apply validations in KO. i have used plugin knockout.validation.min.js . I have implemented it like this but not working My View Model $(document).ready(function myfunction() { ko.applyBindings(new EmployeeKoViewModel()); }) var EmployeeKoViewModel = function () { var self = this; self.EmpId =...

ViewData Compilation Error : BC30203: Identifier expected


javascript,c#,jquery,html,asp.net-mvc
I have code below. public ActionResult PatrList(decimal PAT_ID) { ViewData["PAT_ID"] = PAT_ID; return View(); } <script type="text/javascript"> $(document).ready(function () { var PAT_ID = '<%= ViewData["PAT_ID"].ToString() %>'; $("body").data("PAT_ID", PAT_ID); }); </script> Unfortunately, I got Compilation Error : BC30203: Identifier expected. ...

Database object with different data


sql,asp.net,asp.net-mvc,database,entity-framework-6
I'm making a web page in ASP.NET MVC which compares prices from different shops. I have a one-to-many with products and the shops, where the SHOP has one PRODUCT and a PRODUCT has many SHOPs, the problem is that the product is the same but the price is different. Example:...

ASP.NET httpHandlers & handlers


asp.net,asp.net-mvc
I am confused about httpHandlers in system.web and handlers in system.webServer. What is the difference between these two configuration? And how and when to use them? Actually another question is for modules as well: httpModules in system.web and modules in system.webServer...

When adding a user to a role in asp.net mvc 4.5, i'm getting an error- “user (user name) not found”


c#,asp.net-mvc
Here is my account login controller. (My "auth" class method returns "user" or "admin" and is logged in accordingly). [HttpPost] public ActionResult Login(string userName, string pass) { Auth auth = new Auth(); if (auth.MyAuth(userName) == "user") { FormsAuthentication.SetAuthCookie(userName, true); return RedirectToAction("Index", "Home"); } else if(auth.MyAuth(userName) == "admin") { FormsAuthentication.SetAuthCookie(userName, true);...

Checkbox to be checked on having value Y


asp.net-mvc,knockout.js
I have a checkbox bound to a viewmodel's observable property, whose value will be Y or N. I want the the checkbox to be checked when the value is Y and unchecked when the value is N. How to achieve this? I am able to achieve it if the value...

Url.Action Compilation Error : BC30988: Type or 'With' expected


javascript,c#,html,asp.net-mvc
I have code below, I need redirect to an other view page. function patrListClick(PAT_ID) { window.location.href = '<%: Url.Action("PatrList", "Patr", new { id = "_id_" }) %>'.replace('_id_', PAT_ID); } Unfortunately, I got compilation error. ...

Unable to find the auto created Database


c#,asp.net,asp.net-mvc,entity-framework
I have created simple ASP.NET MVC4 application using EntityFramework Code first approach. The entity class is as below: public class Album { [Key] public int AblumId { get; set; } public decimal Price { get; set; } public string Title { get; set; } } public class MusicContext : DbContext...

How to get Display Text from EnumDropDownListFor on post?


c#,asp.net-mvc,enums,html-helper
Is there a way to get DisplayName (Text) from EnumDropDownListFor helper for enum? Enum: public enum PartnersGroup { [Display(Name="Partner_SystemsGroup",ResourceType=typeof(Global) )] SystemsGroup, [Display(Name="Partner_SoftwarePartners",ResourceType=typeof(Global))] SoftwarePartners, [Display(Name="Partner_IntegrationPartners",ResourceType=typeof(Global))] IntegrationPartners, } Model public class Partner { public PartnersGroup PartnersGroup { get; set; } } Controller // GET: Partners/Create public ActionResult Create() { ---- return...

How to use ajax to post json string to controller method?


jquery,asp.net-mvc,visual-studio-2013,asp.net-mvc-5
I want to be able to post a json string to a control action but it's always receive the string as null. If I create a view model for the controller method, it works, but that's not what I want since there will be too much view models to maintain....

Can I check if action is a child action in a view?


c#,asp.net-mvc,razor
I know that I can check if an action is a child action inside a controller, store the result in ViewBag or elsewhere and pass this information to the view, but assuming I don't want\can't modify the controller, is there some way to check if the current action is a...

System.net.http.formatting causing issues with Newtonsoft.json


c#,asp.net,asp.net-mvc,json.net
My Windows service is in the same solution as a MVC project. The MVC project uses a reference to SignalR Client which requires Newtonsoft.Json v6 + the Windows service uses System.Net.Http.Formatting, which requires Newtonsoft.Json version 4.5.0.0. I assumed this would not be a problem, as I could just use a...

Reverse ^ operator for decryption


c,algorithm,security,math,encryption
I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

How to add validators for @Html.TextBox() without model


asp.net-mvc,asp.net-mvc-4
This is a part of my view @model bhavin.Models.Employee @using (Html.BeginForm("BuynowForm", "Home")) { <div class="form-group"> <label>Billing Address</label> @Html.TextBox("bill_address", null, new { @class = "form-control valid" }) </div> <p> <input type="submit" value="Submit" class="btn btn-primary" /> </p> } I want to add required validation to it. The billing_address textbox is not a...

Dynamically adding controls in MVC4


asp.net-mvc,asp.net-mvc-4
I am currently working on creating an MVC4 application where I want controls to be generated automatically from the database rows. I have the table in my database containing the questions and the control type in which it should be answered by the user. I am just thinking of a...

Strange situation, Visual Studio debugging ran through action to view but nothing returned to browser


c#,jquery,ajax,asp.net-mvc,razor
I have encountered a very strange problem. Basically, there is a Delete ActionLink. Once clicked, the code checks the condition, checks true/false, stays on current page or goes to Delete view. I have posted the solution for this scenario and got some very helpful replies. I worked on it and...

Why is my View not displaying value of ViewBag?


c#,asp.net,asp.net-mvc,asp.net-mvc-4,razor
I have a little blog application with posts and tags. This is my model for Post: namespace HelloWorld.Models { public class Post { [Required] [DataType(DataType.Text)] public string Title { get; set; } [Required] [DataType(DataType.MultilineText)] public string Description { get; set; } [Required] [DataType(DataType.DateTime)] public DateTime PostDate { get; set; }...

MVC5 - How to get results that span multiple entities


asp.net-mvc
Writing my first MVC app and using VS2013 and SQL Server 2008 R2, EF6 and a database first approach. I have all the basics working for my app, but not sure how to approach this issue. I have a jobs table (JobID is PK) and an items table (with JobID...

How to restrict file copying shared using Content Provider in Android?


android,security
Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Adding where clause to IEnumerable Select


c#,asp.net-mvc,linq
I have the following line of code in my controller that selects the id's of the interests shown within a view (they are listed down the page). IEnumerable<int> interestIds = viewModel.ExistingInterests.Select(x => x.InterestId); However I want to be able to add a where clause to the select section. In ExisitingInterests...

Best approach to upgrade MVC3 web app to MVC5?


c#,.net,asp.net-mvc,asp.net-mvc-5
I have a web application which runs on Azure which is currently running MVC3/C#, EF6.1, .NET4.5. I would like to upgrade it to MVC5 to be: a) Current b) Get benefit of new features c) Get Performance gains. This is a part of a performance project, so hopefully there will...

.NET MVC: Finding default Bootsrap JavaScripts


javascript,asp.net-mvc,twitter-bootstrap
In an out-of-the-box implementation of an MVC app using Bootstrap in Visual Studio 2013, there seems to be some javasvript that works on this element: <li role="presentation" class="dropdown"> .... </li> When that element is clicked, there is, somewhere, some JavaScript that changes the class in this element to: <li role="presentation"...

How to Convert a Time to local Time in Different TimeZone


c#,asp.net,asp.net-mvc,timezone,timezoneoffset
Currently i am working on a chat project from where many users can communicate through each other sitting across the globe. ie: Different TimeZone. eg. 1st in India 2nd in America 3rd in Russia 4th in Australia I am saving my message sent time into database as DateTime.Now.ToUniversalTime() Issue i...

How to store a string in xml file and use it in _Layout in MVC


c#,xml,asp.net-mvc,asp.net-mvc-4
I'm new here. I've started working my own forum system recently to use as a portfolio. Decided to let the admin of the website set his own name and description for the forum. So first thought was use .ini file to put the string there but C# does not support...

Http Get Request for IpDBInfo using an IP Address


c#,asp.net-mvc,geolocation,ip
I am working on a web application and it needs to track a location using an IP Address and I am new to sending requests to some APIs and getting a response from them. I was able to retrieve IP address of the user using Request.UserHostAddress and was able to...

ASP.NET EF6 - 2 Tables & 1 Link Table


c#,sql-server,asp.net-mvc,entity-framework
I am not the most fluent with ASP.NET/EF, so I am having a bit of a hard time trying to find the best way to accomplish what I need to get done. I'm trying to create a CRUD with an already existing database. Instead of the Employees table having specific...

which approach is best for GET,POST using Rest API [closed]


c#,jquery,asp.net-mvc,angularjs
i am using rest api to fetch and save the data in database using jquery or angularjs, but i want to ask you about which approach is best for doing this. using jquery to post the data using angularjs to post the data using c# code behind to post the...

HTTP Error 403.14


asp.net-mvc,visual-studio-2013
I'm developing my MVC 5 app using VS 2013, it was working fine, but suddenly it's giving the following error. HTTP Error 403.14 - Forbidden The Web server is configured to not list the contents of this directory. I've already read this post, and it didn't solve the problem. I've...

How to enable multiple login tries in asp.net forms authentication?


c#,asp.net,asp.net-mvc,authentication
I have a MVC project with forms authentication. Basically it works fine: The user wants to access a controller with Authorize-Attribute and gets redirected to login-page if not authenticated. On redirect the parameter returnUrl gets forwarded as well. However, in case the first try of the login fails, the return...

Avoid EF update the null image to database in .Net MVC


asp.net-mvc,entity-framework,null,edit,httppostedfilebase
In my SachController, there is an Edit method like below. In the view, there are several textbox and one file-input for upload image object. Sometime, user doesn't want to change the image and they just don't select a new image. And the image (HttpPostedFileBase) is null. How can I avoid...

MVC 5 OWIN login with claims and AntiforgeryToken. Do I miss a ClaimsIdentity provider?


asp.net-mvc,asp.net-mvc-4,razor,asp.net-mvc-5,claims-based-identity
I'm trying to learn Claims for MVC 5 OWIN login. I try'ed to keep it as simple as possible. I started with the MVC template and inserted my claims code (see below). I get an error when I use the @Html.AntiForgeryToken() helper in the View. Error: A claim of type...

Multiple Posted Types asp.net 5 MVC 6 API


c#,asp.net,asp.net-mvc,asp.net-5,asp.net-mvc-6
I can use [FromBody] for single type , but is there any way to use multiple? From the searching and reading I've done there is not a way, but i don't know if a way has been added in MVC 6. If not, where would be best to start with...

check if file is image


c#,asp.net,asp.net-mvc
I want to check if file is image. and then you will see a link where you can see the image. But the link only has to appear if file is link. I try it like this: if (!String.IsNullOrEmpty(item.FileName)) { var file = item.FileName; string[] formats = new string[] {...

How to use Autofac to inject specific implementation in constructor


c#,asp.net-mvc,dependency-injection,autofac
I have two classes that take a ILastActivityUpdator as a constructor parameter: UserService and AnonymousUserService. public AnonymousUserService(ILastActivityUpdator lastActivityUpdator) { if (lastActivityUpdator == null) { throw new ArgumentNullException("lastActivityUpdator"); } this.lastActivityUpdator = lastActivityUpdator; } And similar as above for UserService: public UserService(ILastActivityUpdator lastActivityUpdator) { if (lastActivityUpdator == null) { throw new ArgumentNullException("lastActivityUpdator");...

Getting 302 response headers from Ajax.BeginForm?


c#,jquery,asp.net,ajax,asp.net-mvc
I have a MVC action that can either return a RedirectToAction (302) or a partial view. I'm using Ajax.BeginForm and an OnSuccess handler to capture the response. My problem is, whenever a redirect response is issued, it seems something (not sure if it's a native AJAX behavior or not) is...

Output Raw String in ASP.NET MVC Razor [duplicate]


c#,asp.net-mvc,razor
This question already has an answer here: Emitting unencoded strings in a Razor view 4 answers I have a site built with ASP.NET MVC. I have a string in my view model that looks like this: ViewBag.Text = "{\"1\":{\"1\":\"John\",\"2\":\"Bill\",\"3\":\"Paul\"},\"3\":{}}"; I want to output this into my view like this:...

Creating a viewmodel on an existing project


c#,asp.net,asp.net-mvc
I am trying to add a viewmodel to a project because I want my view to use two separate models. I've looked at different tutorials trying to learn how to do this but I am having some trouble. Before, the view was strongly binded(typed?) to the Person model, but now...

How to secure configuration file containing database username and password


php,security
Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

ASP.NET MVC posting list from view to controller


c#,.net,asp.net-mvc,razor
I have a view model in my ASP.NET MVC application: public class FiltersViewModel { public IEnumerable<SelectListItem> AvailableFilters { get; set; } // fills a drop down menu public IList<TechnologyFilter> TechnologyFilters { get; set; } public IList<ContractTypeFilter> ContractTypeFilters { get; set; } public FiltersViewModel() { this.TechnologyFilters = new List<TechnologyFilter>(); this.ContractTypeFilters =...

Show/hide tinymce with radio buttons


c#,asp.net,asp.net-mvc,tinymce
I try to show/hide a tinymce with radobutton. Like yes/no. So there are two radio buttons. yes - will show the tiny mce and no will hide the tinymce. I have this: showing tiny mce: <div class="form-group"> @Html.Label(Resources.Entity.Product.PdfMessage, new { @class = "text-bold control-label col-md-2" }) <div class="col-lg-6 col-md-8 col-sm-10...

How to map between two entities before paging


c#,asp.net-mvc,entity-framework
Consider the code below: public ActionResult Index(int? page) { List<ProviderViewModel> viewModel = new List<ProviderViewModel>(); List<Provider> businessModel = db.Providers .OrderBy(t => t.Name); foreach (Provider provider in businessModel) { viewModel.Add(new ProviderViewModel(provider)); } int pageSize = 9; int pageNumber = (page ?? 1); return View(viewModel.ToPagedList(pageNumber, pageSize)); } I'm using PagedList.MVC (from NuGet) and...

Angularjs resource with scope parameter


javascript,asp.net-mvc,angularjs,single-page-application
My problem is the following: I am trying to call resource with the following parameter and I get the following error: [$resource:badcfg] I tried fixing this in the past 3 hours and I cant seem to make it work. So, if i call it like this: $scope.komintent = Fakturi.komintenti.get({ id:...

ASP.NET MVC Client side time convert from model


javascript,asp.net-mvc,model
My cshtml page contains the following code for DateTime, which is some server time fetched from sql. <tbody> @{ foreach (var item in Model) { <tr> <td> @Html.DisplayFor(modelItem => item.someDate) </td> The type of the someDate property is DateTime. I would like to show the time in respect to client/browser...