2

have scoured by couldn't find anything relevant.

I have to this point built a cool web app in MVC using C#. I created a User model as

public class User { // Must be named EntityNameId, must have primary key! public int UserId { get; set; } [DisplayName("First Name")] public string firstName { get; set; } [DisplayName("Last Name")] public string lastName { get; set; } [DisplayName("Cell Number")] public string cellNumber { get; set; } }

And as such have designed a profile/dashboard for each user

/User/Profile/1

Accessed by their id. Ive also got other sections such as a menu to edit items /Item/Index/1 which shows all items for that user etc. My code works etc to filter and populate those pages just for the user. To this point however I have not implemented any authentication. I would like to use the built in authentication tools through ApplicationServices and have done before with roles:

<Authorize(Roles:="Manager,Administrator")>

However I would like to limit pages to specific users who are logged in? I.e. /User/Profile/1 should only be accessible by that user etc. Rather than the roles they serve.

Does any one know how this could be done? I know this would likely mean tying the account controllers and user controllers together, not quite sure how to do this so that everything works the same? As app is basically finished, quite simple tho, but just requires authentication.

Improve this question

2 Answers 2

Reset to default
2

Just do a simple check at the top of the action method, if it's not the current user, perform the redirect.

public ActionResult Profile(int id) { if (CurrentUser.Id != id) { return RedirectToAction("Index"); } return View(); }

If you use it a lot, you could refactor it out into a method.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Does the built in authentication provided by MVC ApplicationServices have a field 'id'?
1

A secondary option would be to not even pass the user Id into the controller/action method, just grab the logged in user's Id and get the information from there.

[Authorize] public ActionResult Profile() { return View(profileService.GetUserProfile(CurrentUser.Id)); }
Improve this answer

4 Comments

Would be advisable to then combine my user model with the one created in ApplicationServices? as woulnt want the user to create both? Or is there a fancier easy way to join the two?
I am not quite sure what you are asking...The above pseudo-code example is just to demonstrate that you do not have to pass the Id in as a parameter - you can retrieve the data however you are now.
understand its purely pseudo. I see that the CurrentUser.Id is a field found in AccountModel though not in my existing user Model. Would there be a way to combine the two without having to move my existing controllers and veiws etc accross?
Without knowing any more about your code, I cannot really comment on what you would need to do...

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.