I've created controller classes to assist with Role authorization.
I have a base class ControllersAuthorities
, which is the highest level of authority. I have created the other classes to extend each base class.
[Authorize(Roles = "Owner")]
public abstract class ControllerAuthorities:Controller { }
[Authorize(Roles = "Admin")]
public abstract class AdminController:ControllerAuthorities { }
[Authorize(Roles = "Employee")]
public abstract class EmployeeController:AdminController { }
[Authorize(Roles = "Sales")]
public abstract class SalesController:EmployeeController { }
First question, will the Owner
, Admin
and Employee
Roles have access to the SalesController
?
When implementing these classes in my project controllers.
If I leave the [Authorize]
uncommented, will this override the inherited authority Role?
//[Authorize]
public class AccountController:ControllerAuthorities
{
Looking at AttributeUsage
attribute of Authorize
attribute ;
[AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method,
Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter
Inherited= true
means that subclasses of the class which decorated with this attribute can inherit this attribute.
AllowMultiple=true
means that this attribute can be placed more than once on same entity.
With inherited attributes and allowed usage of same attribute your SalesController
can be considered as
[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }
And you can test this at runtime with this code.
var a = typeof(SalesController).GetCustomAttributes(true).ToArray();
First question, will the Owner
, Admin
and Employee
Roles have access to the SalesController
?
Inherited attributes are separated so they are applied independently.For one user to access SalesController
, user must have all roles(owner
,admin
,employee
and sales
) not one of them.
See the difference between
[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }
and
[Authorize(Roles = "Owner,Admin,Employee,Sales")]
public abstract class SalesController:EmployeeController { }
Second question: If you leave [Authorize]
uncommented with same logic AccountController
is like
[Authorize(Roles = "Owner")]
[Authorize]
public class AccountController:ControllerAuthorities{}
So it does not override inherited authority just creates multiple usage of authorize attribute because multiple usage is allowed for Authorize
attribute. If AllowMultiple
were false
in Authorize
attribute definiton then derived class could override the attribute in base class.
will the Owner, Admin and Employee Roles have access to the
SalesController
?
No, They can't access to SalesController
. Inheritance makes your code like this:
[Authorize(Roles = "Owner")]
public abstract class ControllerAuthorities:Controller { }
[Authorize(Roles = "Admin", "Owner")]
public abstract class AdminController:Controller { }
[Authorize(Roles = "Employee", "Admin", "Owner")]
public abstract class EmployeeController:Controller { }
[Authorize(Roles = "Sales", "Employee", "Admin", "Owner")]
public abstract class SalesController:Controller { }
And since SalesController
requires additional role, named Sales won't be accessible. Key to Access SalesController
: The user should be in All the mentioned roles.
If I leave the [Authorize]
uncommented, will this override the
inherited authority Role?
Yes, since AccountController
derived from ControllerAuthorities
which requires Owner
role.
Note that the controllers in MVC are just classes with some additional features to handle requests. There's no difference with class
concepts.
Tip : Look at the followings:
[Authorize(Roles = "Sales, Employee, Admin, Owner")]
allows the
user which have one of the roles. In another words, This acts
like OR (||
) operation.
[Authorize(Roles = "Sales", "Employee", "Admin", "Owner")]
allows
the user which have All of the roles. In another words, This acts
like And (&
) operation.
The last one is like your question. That's equal to the following too:
[Authorize(Roles = "Owner")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Sales")]
For more clarification than this! see How to authorize a set of controllers without placing the annotation on each one?