protected override bool AuthorizeCore(HttpContextBase httpContext) { bool isAdmin = false; var isAuthorized = base.AuthorizeCore(httpContext); if (!isAuthorized) { // the user is either not authenticated or // not in roles => no need to continue any further return false; } // get the currently logged on user var username = httpContext.User.Identity.Name; // get the id of the article that he is trying to manipulate // from the route data (this assumes that the id is passed as a route // data parameter: /foo/edit/123). If this is not the case and you // are using query string parameters you could fetch the id using the Request //var id = httpContext.Request.RequestContext.RouteData.Values["id"] as string; // Now that we have the current user and the id of the article he // is trying to manipualte all that's left is go ahead and look in // our database to see if this user is the owner of the article HLGranite.Mvc.Models.hlgraniteEntities db = new HLGranite.Mvc.Models.hlgraniteEntities(); HLGranite.Mvc.Models.User user = db.Users.Where(u => u.UserName.Equals(username)).FirstOrDefault(); if (user != null) isAdmin = user.IsAdmin; return isAdmin; }
protected override bool AuthorizeCore(HttpContextBase httpContext) { bool isAdmin = false; var isAuthorized = base.AuthorizeCore(httpContext); if (!isAuthorized) { // the user is either not authenticated or // not in roles => no need to continue any further return(false); } // get the currently logged on user var username = httpContext.User.Identity.Name; // get the id of the article that he is trying to manipulate // from the route data (this assumes that the id is passed as a route // data parameter: /foo/edit/123). If this is not the case and you // are using query string parameters you could fetch the id using the Request //var id = httpContext.Request.RequestContext.RouteData.Values["id"] as string; // Now that we have the current user and the id of the article he // is trying to manipualte all that's left is go ahead and look in // our database to see if this user is the owner of the article HLGranite.Mvc.Models.hlgraniteEntities db = new HLGranite.Mvc.Models.hlgraniteEntities(); HLGranite.Mvc.Models.User user = db.Users.Where(u => u.UserName.Equals(username)).FirstOrDefault(); if (user != null) { isAdmin = user.IsAdmin; } return(isAdmin); }
protected override bool AuthorizeCore(HttpContextBase httpContext) { bool canView = false; var isAuthorized = base.AuthorizeCore(httpContext); if (!isAuthorized) { // the user is either not authenticated or // not in roles => no need to continue any further return false; } // get the currently logged on user var username = httpContext.User.Identity.Name; // get the id of the article that he is trying to manipulate // from the route data (this assumes that the id is passed as a route // data parameter: /foo/edit/123). If this is not the case and you // are using query string parameters you could fetch the id using the Request //var id = httpContext.Request.RequestContext.RouteData.Values["id"] as string; // Now that we have the current user and the id of the article he // is trying to manipualte all that's left is go ahead and look in // our database to see if this user is the owner of the article HLGranite.Mvc.Models.hlgraniteEntities db = new HLGranite.Mvc.Models.hlgraniteEntities(); HLGranite.Mvc.Models.User user = db.Users.Where(u => u.UserName.Equals(username)).FirstOrDefault(); if (user == null) return false; canView = user.IsAdmin; // check whether the order is belonged to login user if (!canView) { string controller = httpContext.Request.RequestContext.RouteData.Values.First().Value.ToString(); int id = Convert.ToInt32(httpContext.Request.RequestContext.RouteData.Values["id"]); switch(controller) { case "Nisan": if (!canView) canView = (user.UserTypeId == HLGranite.Mvc.Models.User.STAFF_TYPE_ID); if (!canView) { Nisan nisan = db.Nisans.Where(n => n.Id == id).FirstOrDefault(); if (nisan != null) canView = (nisan.SoldTo.UserName == username); } break; case "Tomb": if (!canView) canView = (user.Id == HLGranite.Mvc.Models.User.STAFF_TYPE_ID); break; case "Renovation": if (!canView) canView = (user.Id == HLGranite.Mvc.Models.User.STAFF_TYPE_ID); break; case "User": User profile = db.Users.Where(u => u.Id == id).FirstOrDefault(); if (profile != null) canView = (profile.Id == user.Id); break; } } return canView; }
protected override bool AuthorizeCore(HttpContextBase httpContext) { bool canView = false; var isAuthorized = base.AuthorizeCore(httpContext); if (!isAuthorized) { // the user is either not authenticated or // not in roles => no need to continue any further return(false); } // get the currently logged on user var username = httpContext.User.Identity.Name; // get the id of the article that he is trying to manipulate // from the route data (this assumes that the id is passed as a route // data parameter: /foo/edit/123). If this is not the case and you // are using query string parameters you could fetch the id using the Request //var id = httpContext.Request.RequestContext.RouteData.Values["id"] as string; // Now that we have the current user and the id of the article he // is trying to manipualte all that's left is go ahead and look in // our database to see if this user is the owner of the article HLGranite.Mvc.Models.hlgraniteEntities db = new HLGranite.Mvc.Models.hlgraniteEntities(); HLGranite.Mvc.Models.User user = db.Users.Where(u => u.UserName.Equals(username)).FirstOrDefault(); if (user == null) { return(false); } canView = user.IsAdmin; // check whether the order is belonged to login user if (!canView) { string controller = httpContext.Request.RequestContext.RouteData.Values.First().Value.ToString(); int id = Convert.ToInt32(httpContext.Request.RequestContext.RouteData.Values["id"]); switch (controller) { case "Nisan": if (!canView) { canView = (user.UserTypeId == HLGranite.Mvc.Models.User.STAFF_TYPE_ID); } if (!canView) { Nisan nisan = db.Nisans.Where(n => n.Id == id).FirstOrDefault(); if (nisan != null) { canView = (nisan.SoldTo.UserName == username); } } break; case "Tomb": if (!canView) { canView = (user.Id == HLGranite.Mvc.Models.User.STAFF_TYPE_ID); } break; case "Renovation": if (!canView) { canView = (user.Id == HLGranite.Mvc.Models.User.STAFF_TYPE_ID); } break; case "User": User profile = db.Users.Where(u => u.Id == id).FirstOrDefault(); if (profile != null) { canView = (profile.Id == user.Id); } break; } } return(canView); }