Role based Authorization for Razor Pages

Asked 9/1, 2018 at 19:15 Answered 24/6, 2022 at 17:30

Solved asp.net-core asp.net-core-2.0 razor-pages

In asp.net core it is very easy to define the razor pages authorization for pages and folders as follows:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    });

My problem is that I want to use roles in my project but I can not find a way to define which roles are allowed to view the contents of the page.

I tried to use the Authorize attribute but it does not work with Razor Pages.

The AuthorizePage can take a second parameter which can be used in order to define the policy which will be used in order to determine if the current use can see the specified page or not. I used it as follows:

services.AddAuthorization(options =>
{
    options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Admin"));
});

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Index", "RequireAdministratorRole");
    });

The problem is that it still does noe work. It acts like I have not defined the policy. When I am logged I can see the page and when I am not logged it redirects me to the loggin form.

Is something else that I have to do in order to make it work?

Parlance answered 9/1, 2018 at 19:15 Comment(2)

If it acts like you didn't define the policy, then perhaps you didn't add the line to use authentication: app.UseAuthentication(); – Leaseholder 9/1, 2018 at 19:29

I used it. I really do not know what is wrong with it. I probably have to add something else in order to activate it. – Parlance 9/1, 2018 at 22:31

I found what is wrong. In order to apply the changes after I remove the user from the role, I have to logout and login again so that the framework will refresh what the user allows to view.

This is really a problem because if a User has the admin role and for some reason we want to stop him from accessing sensitive data, we cannot stop him until he logs off.

Is there a way to refresh the user’s permissions when I remove a role from his account?

Restarting the application did not remove his permission. The only way to refresh his permissions is when he logs out.

Parlance answered 9/1, 2018 at 22:43 Comment(3)

I think you'd better ask a new question instead of adding it to this answer. – Leaseholder 9/1, 2018 at 23:11

OK. I will try to make a new question. Thank you Ruard. – Parlance 9/1, 2018 at 23:15

@Parlance I find your logout then login tip very useful, upvoted! Do you have the link to your new question? Thanks. – Germinal 8/4, 2018 at 23:6

This is due to the user's cookie still being valid. Here is more explanation to it here with a solution. Although it is in ASP.NET, the same concepts should apply for your Razor Pages project:

Refresh current user's role when changed in ASP.NET identity framework?

Crowd answered 6/5, 2018 at 23:9 Comment(0)

As to your latest question of

Is there a way to refresh the user’s permissions when I remove a role from his account?

Yes you can refresh your logged in user using the SignInManager RefreshSignIn method.

As per the official documentation the method will

Signs in the specified user, whilst preserving the existing AuthenticationProperties of the current signed-in user like rememberMe, as an asynchronous operation.

Lignocellulose answered 24/6, 2022 at 17:30 Comment(0)

Recommended topics

Hot tags