I an working on an ASP.NET MVC project and I want users to be disabled initially on registration until they confirm their email and phone number. But however (by default) disabled users cannot login to the app to do this unless by an admin. How can I temporarily disable the users and still allow them login but only with limited access until they confirm their email and phone number.
You can create Customer Action Filters which in turn check whether user has verified mobile number or email address from database.
Example of Action Filters is [Authorize] attribute on Controller.
You can then use this Customer Action Filters on Controller where you want to restrict them for doing any operation.
You can even display different view or Alert Message for telling users about it.
ASP.NET MVC 4 Custom Action Filters MSDN
Related
I am building a mvc application with owin authentication. I am storing both users and admins in one table(Users). The application works in a way where the admin can also be an user(different views for admin vs user).
I am thinking the following options but i am not if it is correct approach
Once the admin logs in ask them if they want to use the application as an user or admin and redirect them based on that
Have two records one as an user and another as an admin (only if nothing else works)
Is there a better solution?
The admin user by default is a privileged user, hence he should by default be shown admin pages. Similarly for the user.
However, as you mentioned, we can have a preview link which can render the page in a user mode if admin opts to.
Also, have a page where we can add / remove the roles for any user by the admin.
You may also have a user setting persisted in db to know the user's default view preference.
I have an ASP.NET Web Form application that is using the default ASP.NET MembershipProvider.
After registration, I require the administrator to approve the registration. Until that occurs, I would like the AnonymousTemplate in the LoginView to be shown.
The site uses the default code for the Site.Master.
My question is, can I modify the default behavior of the LoginView control so that it shows the LoggedInTemplate only after a registered user is approved by an administrator?
The MembershipUser object should have flags for IsActive and IsApproved. If you set both to false during the registration process, and do not log the user in after they are registered, then the template should stay anonymous. Then your Admin UI will have to set those flags to true, then save the user through the Membership API, then send them an e-mail that they are approved and can log in.
HTH
Background: I'm using Open ID authentication in my asp.net website. Here is how it works currently - User would pick an Open ID provider from dropdown (google/yahoo/myopenid/etc..) and then click on Login button. The application would then pass the user to the provider authentication page. On successful authentication and authorization on the open ID provider site, user is directed to my application. So far, so good.
Problem: On the Open ID provider authentication page, if the user chooses/clicks Sign Up, then the provider is following its own workflow and the control never returns to my application.
Question: Is there a way where I can disable the dynamic registration on provider (i.e., the Sign Up)?, so that, the user would then be required to register with the provider and then use my application? Or
Is there a way that I can get the control back once the dynamic registration is done?
No. The OpenID protocol has no such provision and while it would be courteous of a Provider to remember to ultimately redirect their new user back to your site, not all do.
I have a web application that creates user accounts, but I would also like to have the ability to have users that can sign up for subscriptions without accounts. All they have is a subscription page to modify email settings and enable the newsletter subscription.
My questions is how do I verify that the user is who they say they are without a username/password, and my second is how should they access this page. I dont want just anyone typing in the url with the email and access subscription settings for that user.
For each user entry you create a unique access code that you use in the url in order to validate that this is the user you want.
The subscription form will give these options:
subscribe by filling in your email
request to change your settings by just putting your email to another field
both action will send an email to you with a special url
the first to validate that this is made by you so you will enable this user & his email
the second to send him another special url to make any changes to his settings in the case that this use is active in your database.
For this unique code you can use md5 of his email with a timestamp when he was registered.
I have a document approval workflow application. The workflow sends emails to appropriate users with links for Accept/Reject the document.
When the user clicks on Accept or reject link, an aspx page is shown, where he can type a comment and submit.
Now the question is I want Windows Authentication on this aspx page. If the user is authenticated I want its Userid to be checked against database if his role/profile has priveledge to view the page.
How should I achieve this?
If the whole thing is internal (within your organization) then simply use Windows Authentication on the website. Other wise you have to mix Forms and Windows Authentication on the site. Here is an MSDN article about this.
Once authentication is wired up you can access the user's identity using static
System.Security.Principal.IIdentity user = Page.User.Identity;
property. It contains IsAuthenticated and AuthenticationType properties which you can put to use.