mvc authentication with multiple roles - asp.net

I am building a mvc application with owin authentication. I am storing both users and admins in one table(Users). The application works in a way where the admin can also be an user(different views for admin vs user).
I am thinking the following options but i am not if it is correct approach
Once the admin logs in ask them if they want to use the application as an user or admin and redirect them based on that
Have two records one as an user and another as an admin (only if nothing else works)
Is there a better solution?

The admin user by default is a privileged user, hence he should by default be shown admin pages. Similarly for the user.
However, as you mentioned, we can have a preview link which can render the page in a user mode if admin opts to.
Also, have a page where we can add / remove the roles for any user by the admin.
You may also have a user setting persisted in db to know the user's default view preference.

Related

Symfony, redirecting depending on a variable

I'm building a shop system at the moment. Using Symfony+CommerceTools as backend and Twig as frontend.
What I want to achive:
In store A, called with a.store.com, you should be always redirected to /login page if you arent logged in yet. This store can only be used when logged in.
In store B, called with store.com, you can access anything without being logged in.
Right now, anyone can access everything. Thats right for store B.
I could add a rule to the security.yaml, that redirects to /login if not logged in, that would work for store A.
But I need a solution, that have both. Depending on a variable in commerceTools.
So if you have logins set up this is quite straight forward using roles in Symfony. If you don't have a login form set up yet check out this Symfony login guide.
To use roles you will have to ensure you have your security system set up which is in this Symfony Security guide - Note this will need to be set up first if you intend to use the Symfony login forms I linked to first.
The bit you need in particular to restrict access to certain sections of your site is Section 4) Denying Access, Roles and other Authorization in the above guide.
Essentially in your User entity class you have roles set to your users. Then, my preferred way of securing certain parts of your site would be by adding role requirements into the controllers for the views you want to secure, for example:
// src/Controller/ShopAController.php
// ...
public function shopA(): Response
{
$this->denyAccessUnlessGranted('ROLE_USER');
}
You will notice when setting up the security system, that there are settings to give any registered users the role of ROLE_USER, so you can use this to secure parts of your site to only registered users, or you could create a new role such as ROLE_CUSTOMER or something.
If a none logged in user tries accessing this secured view, they will be redirected to the login page.
Then for the views of your site you want anyone to be able to access you simply don't set any role access rules in those controllers.
This avoids needing to add URL paths to your security.yaml as you wanted as well.
I hope this was helpful! Give it a try and follow the Symfony tutorials I linked, they're very easy to follow :)

FOSUserBundle and LDAP user before login - Symfony2

I have successfully set up the FOSUserBundle and the FR3D LDAP bundle to allow my company users to login to the web app with their own login.
From now, if someone logins, they will have the default role, which is ROLE_USER.
However, I only want a specific role to be allowed (in this case it's ROLE_CONSULT, which I created).
What I am doing to allow users at this moment is:
Ask the user to login to the web app
They get the "You have no right to access this web page"
They tell me he connected
I change the user's role to "ROLE_CONSULT" with a form I created within the admin panel.
What I want to do is:
I select the user from the LDAP list
Change the user role (which is not on the database yet, but will be as soon as I change the role)
The user logins successfully
I already developed the 1 and 2 points, but as the "salt" is empty on the database, it doesn't allow the user to connect as it must believe the password isn't correct.
Any idea how I can make it work by telling Symfony2 it is the first login, it will automatically ONLY check the entered password at my LDAP configuration ?
Thanks.
Alright, that was easy.
I just forgot to put the "DN" to the database.
Now it's working.

Allow an user to be both "User" and "Admin" roles

I am having a problem and would like to know if someone has a suggestion. On a site I am developing, I was using Asp.net Simple Membership but now I am migrating to Asp.net Identity 2. I have 2 roles: "User" and "Admin". The admin can do admin stuf, configuration, database management, etc. But cannot do "user things". So, the admin is not a "super user" - it only has different function.
The problem I am facing is that the unique identifier for the user is their email. So, if someone wants to use the system all by himself he has to create 2 accounts (one admin and one user), so he has to have 2 emails. This is a problem. I could easily add both "user" and "admin" roles to that users but that would make the system harder to use for the "user" role and I would like to avoid this.
I use roles to authorize routes on the server (MVC and web api) and to basic (like hide elements) things on the UI (SPA), so, it is already part of the system - but I am willing to change it, if necessary.
I was thinking in doing something like this:
When the user is configured to be a administrator, every time he log on, I ask if he want to be an admin or user on this session.
If he choose "user", I set a user role for him and log in.
If he choose "admin", I set a "admin" role for him and log in.
What do you think about that? Does someone have a better idea? This feels like a hack and hacks do not go well with security :/
I see a problem with that - Sometimes I need to send emails to admins (when they are offline). With this, I cannot rely on the UserRole table only, will always have to check the User.IsAdministrator flag too. It is not a big problem but add a small complexity to things.
You need to use roles for this. A user can be a member of several roles at once, so you can have a user that is a member of the 'user' roles, a user that is a member of the 'admin' role or a user that is a member of both the 'user' and 'admin' roles.
You have already suggested this idea and this is how I would do it, if you then wanted to control what they could see (so that an 'admin' member could only see stuff that normally a 'user' role user can see) then you could have a drop down on any form (or put it on your master page) that allows the user to turn the admin stuff on and off, you can then remember their selecting in the session object and refer to that each time the page loads. e.g.
if user.IsInRole("Admin") and IsNothing(Session("HideAdmin")) Then
'Show Admin Stuff
End If
Or somthing similar.
This type of problem is solved at DataBase Design time not at development time. You have few choice the best I see is create a Third user who will have both rights.

How To Programmatically Add OpenID Users To Plone Site

I need to give roles (including the Member role), memberdata, and user folders to certain OpenID users before they first log in to my Plone site. That is, I need to programmatically add OpenID users to my Plone site. portal_registration.addMember cannot add an OpenID user. plone.openid has its own PAS plugin which does not create member objects. What do I do that is replicable in a setuphandler? The usual way to do this is to manually log in the OpenID user, then add roles, memberdata, and sharing after the login. Howwever, that user story is not programmatically replicable.
The only thing that should matter is the user id generated for each user. It should be possible to just create regular members beforehand with user ids matching the open id identity urls, assing them roles and then use openid (only) as an alternative authentication method for those users.
Update: As Chris commented below, it's not possible to add users with URL as their id through Plone UI, but they must be created directly into PAS users folder through ZMI (Zope Management Interface).

How-to check if user is logged in asp.net and depending on if they are logged in display a certain page?

I have a very basic understanding of ASP.NET and I am trying to do the following. I have a home page that is set-up to be a login page. If you could just picture a username and password box that is the extent of that home page. Once the user is logged in they will go to a different page let's say the account page. However, when the user clicks the logo at the top left hand it takes them to the home page again but it shows the username and password boxes again ready to be filled.
The user status at the top of my page still shows that the user is logged in. What I am trying to do is add a piece of code that will change the link of the logo to display the account page once they are logged in and not the login page.
I don't know if this can be done through the web.config file since I read a different article that has something similar to this or if this code can be put directly next to the code where my logo link (default.aspx) sits.
Many thanks in advance!
Research the Membership Provider.
It's an industry standard in ASP.NET session management. It will manage all of your pages and allow you to customize pages, menus, etc. based on roles and permissions. Don't reinvent the wheel if you have the oppertunity to use it.
Straight from MSDN:
ASP.NET membership supports facilities
for:
Creating new users and passwords.
Storing membership information (user
names, passwords, and supporting data)
in Microsoft SQL Server, Active
Directory, or an alternative data
store.
Authenticating users who visit your
site. You can authenticate users
programmatically, or you can use the
ASP.NET login controls to create a
complete authentication system that
requires little or no code.
Managing passwords, which includes
creating, changing, and resetting them
. Depending on membership options you
choose, the membership system can also
provide an automated password-reset
system that takes a user-supplied
question and response.
Exposing a unique identification for
authenticated users that you can use
in your own applications and that also
integrates with the ASP.NET
personalization and role-management
(authorization) systems.
Specifying a custom membership
provider, which allows you to
substitute your own code to manage
membership and maintain membership
data in a custom data store

Resources