Login/Register
Inheritance of Authorized Roles in controller classes
Asked Answered
Solved asp.net-mvcinheritanceauthorizationasp.net-rolesasp.net-mvc-controller
T

2

5

I've created controller classes to assist with Role authorization.

I have a base class ControllersAuthorities, which is the highest level of authority. I have created the other classes to extend each base class.

[Authorize(Roles = "Owner")]
public abstract class ControllerAuthorities:Controller { }
[Authorize(Roles = "Admin")]
public abstract class AdminController:ControllerAuthorities { }

[Authorize(Roles = "Employee")]
public abstract class EmployeeController:AdminController { }
[Authorize(Roles = "Sales")]
public abstract class SalesController:EmployeeController { }

First question, will the Owner, Admin and Employee Roles have access to the SalesController?

When implementing these classes in my project controllers. If I leave the [Authorize] uncommented, will this override the inherited authority Role?

//[Authorize]
public class AccountController:ControllerAuthorities
{
Tumor answered 23/9, 2015 at 13:46 Comment(1)
I updated my answer, there are some Tips that you need to know and I gathered in my post :)Comp
C
18

Looking at AttributeUsage attribute of Authorize attribute ;

[AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method, 
    Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter

Inherited= true means that subclasses of the class which decorated with this attribute can inherit this attribute.

AllowMultiple=true means that this attribute can be placed more than once on same entity.

With inherited attributes and allowed usage of same attribute your SalesController can be considered as 

[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }

And you can test this at runtime with this code.

var a = typeof(SalesController).GetCustomAttributes(true).ToArray();

First question, will the Owner, Admin and Employee Roles have access to the SalesController? Inherited attributes are separated so they are applied independently.For one user to access SalesController , user must have all roles(owner ,admin ,employee and sales) not one of them.

See the difference between 

[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }

and 

[Authorize(Roles = "Owner,Admin,Employee,Sales")]
public abstract class SalesController:EmployeeController { }

Second question: If you leave [Authorize] uncommented with same logic AccountController is like

[Authorize(Roles = "Owner")]
[Authorize]
public class AccountController:ControllerAuthorities{}

So it does not override inherited authority just creates multiple usage of authorize attribute because multiple usage is allowed for Authorize attribute. If AllowMultiple were false in Authorize attribute definiton then derived class could override the attribute in base class.

Clinician answered 27/9, 2015 at 0:33 Comment(1)
No ,what i am saying is inherited attributes applied differently so that one user must have owner,admin,employee and sales attributes to access SalesController. [Authorize(Roles = "Owner,Admin,Employee,Sales")] tells that user must have one of them to access SalesController.They are different.Clinician
C
4

will the Owner, Admin and Employee Roles have access to the SalesController?

No, They can't access to SalesController. Inheritance makes your code like this:

[Authorize(Roles = "Owner")]
public abstract class ControllerAuthorities:Controller { }
[Authorize(Roles = "Admin", "Owner")]
public abstract class AdminController:Controller { }

[Authorize(Roles = "Employee", "Admin", "Owner")]
public abstract class EmployeeController:Controller { }
[Authorize(Roles = "Sales", "Employee", "Admin", "Owner")]
public abstract class SalesController:Controller { }

And since SalesController requires additional role, named Sales won't be accessible. Key to Access SalesController: The user should be in All the mentioned roles.

If I leave the [Authorize] uncommented, will this override the inherited authority Role?

Yes, since AccountController derived from ControllerAuthorities which requires Owner role.

Note that the controllers in MVC are just classes with some additional features to handle requests. There's no difference with class concepts.

Tip : Look at the followings:

  • [Authorize(Roles = "Sales, Employee, Admin, Owner")] allows the user which have one of the roles. In another words, This acts like OR (||) operation.
  • [Authorize(Roles = "Sales", "Employee", "Admin", "Owner")] allows the user which have All of the roles. In another words, This acts like And (&) operation.

The last one is like your question. That's equal to the following too:

[Authorize(Roles = "Owner")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Sales")]

For more clarification than this! see How to authorize a set of controllers without placing the annotation on each one?

Comp answered 1/10, 2015 at 7:23 Comment(4)
@Heyyou employee etc have no access to SalesController since this controller requires Sales role too. If you plan to access SalesController by the employee role, you have to remove Sales role above the SalesController to let it.Comp
are you sure [Authorize] overrides inherited attribute?Clinician
And what you are saying with inheritance SalesController attribute is [Authorize(Roles = "Sales, Employee, Admin, Owner")]. Like you said this OR case then any user that has one of the role in attribute definition could access that controller not need additional role in this case Sales . i think there is a contradiction in your answer.Clinician
@AmirHosseinMehrvarzi if allowmultiple was false then [Authorize] would override [Authorize(Roles = "Owner")] . But allowmultiple=true in AttributeUsage of Authorize attribute. You can chekch this at runtime using var a = typeof(SalesController).GetCustomAttributes(true).ToArray(); .Clinician

© 2022 - 2024 — McMap. All rights reserved.