locked
Adding Administrator Login to ASP.NET RRS feed

  • Question

  • I have a very simple ASP.NET MVC5 application. I am using this to create a very simple site that will allow users to download our applications once they have logged in to the website (they will need a code, provided by us in order to log in).

    Now, I want to add a default Administrator account, which will show some hidden pages where we can upload new .exe files, removed user accounts etc. (standard admin stuff). Now, I am doing this in the simplest way possible, but adding a "IsAdmin" field to the AspNetUsers table via

        public class ApplicationUser : IdentityUser
        {
            [DataType(DataType.EmailAddress)]
            public string EmailAddress { get; set; }

            public bool? IsAdmin { get; set; }
            public bool? HasDownloadedPackageA { get; set; }
            public bool? HasDownloadedPackageB { get; set; }
        }

    and using code migration. I am ensuring the "Administrator" account is always created/updated by my Configuration class

        internal sealed class Configuration : 
            DbMigrationsConfiguration<SiteNET.Models.ApplicationDbContext>
        {
            public Configuration()
            {
                AutomaticMigrationsEnabled = false;
                ContextKey = "SiteNET.Models.ApplicationDbContext";
            }

            protected override async void Seed(SiteNET.Models.ApplicationDbContext context)
            {
                UserManager<ApplicationUser> userManager = 
                    new UserManager<ApplicationUser>(
                        new UserStore<ApplicationUser>(new ApplicationDbContext()));
                ApplicationUser admin = new ApplicationUser()
                {
                        UserName = "Administrator",
                        IsAdmin = true,
                        EmailAddress = "no-reply@site.com.au"
                };
                var result = await userManager.CreateAsync(admin, "harley");
                if (result.Succeeded)
                    context.Users.AddOrUpdate(admin);
            }
        }

    This does not seem to add the password so I am assuming that using userManager.CreateAsync(admin, "harley") is not the right way.

    Is this approach reasonable? I only need one admin account and messing with IdentityRoles and Authorization seems overkill in this case.

    Thanks for your time.



    "Everything should be made as simple as possible, but not simpler" - Einstein

    Thursday, November 6, 2014 12:21 PM

Answers

  • I agree with you that this seems overkill but the asp.net security is based on it, and it seems good too! :)

    Why don't you Create an Admin Role and and adds your your to It? After that just use can authorize your controller using that role. Follow a sample:

    protected override async void Seed(SiteNET.Models.ApplicationDbContext context)
            {
     var UserManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(context));
            var RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(context));
    
            string name = "Admin";
            string password = "123456";
            string test = "test";
    
            //Create Role Test and User Test
            RoleManager.Create(new IdentityRole(test));
            UserManager.Create(new ApplicationUser() { UserName = test });
    
            //Create Role Admin if it does not exist
            if (!RoleManager.RoleExists(name))
            {
                var roleresult = RoleManager.Create(new IdentityRole(name));
            }
    
            //Create User=Admin with password=123456
            var user = new ApplicationUser();
            user.UserName = name;
            var adminresult = UserManager.Create(user, password);
    
            //Add User Admin to Role Admin
            if (adminresult.Succeeded)
            {
                var result = UserManager.AddToRole(user.Id, name);
            }
            base.Seed(context);
    
    
             }


    Adding the Authorization control:

    [Authorize()]
    public class HomeController : Controller {
        public ActionResult AllUsersIndex() {
            return View();
        }
    
        [Authorize(Roles = "Admin")]
        public ActionResult AdminUsersIndex() {
            return View();
        }
    }

    • Marked as answer by Pengzhen Song Thursday, November 13, 2014 12:10 PM
    Thursday, November 6, 2014 1:14 PM
  • There are different approaches to achieve that. Why are your sharing the "Partial View" both to admin and users? In truth the authorization should just be on Actions, Controllers and not in views. In some too specific cases, I would recommend you to treat the IsAdmin flag in a if statement in the View.
    • Marked as answer by Pengzhen Song Thursday, November 13, 2014 12:10 PM
    Thursday, November 6, 2014 1:48 PM

All replies

  • I agree with you that this seems overkill but the asp.net security is based on it, and it seems good too! :)

    Why don't you Create an Admin Role and and adds your your to It? After that just use can authorize your controller using that role. Follow a sample:

    protected override async void Seed(SiteNET.Models.ApplicationDbContext context)
            {
     var UserManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(context));
            var RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(context));
    
            string name = "Admin";
            string password = "123456";
            string test = "test";
    
            //Create Role Test and User Test
            RoleManager.Create(new IdentityRole(test));
            UserManager.Create(new ApplicationUser() { UserName = test });
    
            //Create Role Admin if it does not exist
            if (!RoleManager.RoleExists(name))
            {
                var roleresult = RoleManager.Create(new IdentityRole(name));
            }
    
            //Create User=Admin with password=123456
            var user = new ApplicationUser();
            user.UserName = name;
            var adminresult = UserManager.Create(user, password);
    
            //Add User Admin to Role Admin
            if (adminresult.Succeeded)
            {
                var result = UserManager.AddToRole(user.Id, name);
            }
            base.Seed(context);
    
    
             }


    Thursday, November 6, 2014 1:08 PM
  • I agree with you that this seems overkill but the asp.net security is based on it, and it seems good too! :)

    Why don't you Create an Admin Role and and adds your your to It? After that just use can authorize your controller using that role. Follow a sample:

    protected override async void Seed(SiteNET.Models.ApplicationDbContext context)
            {
     var UserManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(context));
            var RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(context));
    
            string name = "Admin";
            string password = "123456";
            string test = "test";
    
            //Create Role Test and User Test
            RoleManager.Create(new IdentityRole(test));
            UserManager.Create(new ApplicationUser() { UserName = test });
    
            //Create Role Admin if it does not exist
            if (!RoleManager.RoleExists(name))
            {
                var roleresult = RoleManager.Create(new IdentityRole(name));
            }
    
            //Create User=Admin with password=123456
            var user = new ApplicationUser();
            user.UserName = name;
            var adminresult = UserManager.Create(user, password);
    
            //Add User Admin to Role Admin
            if (adminresult.Succeeded)
            {
                var result = UserManager.AddToRole(user.Id, name);
            }
            base.Seed(context);
    
    
             }


    Adding the Authorization control:

    [Authorize()]
    public class HomeController : Controller {
        public ActionResult AllUsersIndex() {
            return View();
        }
    
        [Authorize(Roles = "Admin")]
        public ActionResult AdminUsersIndex() {
            return View();
        }
    }

    • Marked as answer by Pengzhen Song Thursday, November 13, 2014 12:10 PM
    Thursday, November 6, 2014 1:14 PM
  • Thanks for this. I am completely new to ASP.NET/MVC so I apologies if the following are foolish questions.

    I like the look of this, but how can I use this to pass to a view. Currently I have added an `IsAdmin` to my user database and I create a `ManageViewModel` which has the `IsAdmin` property which I pass to my Manage view. Inside the view I can then test if the current user is an admin and display the relevant partial views. What is not clear with the method you outline above is how I can access whether the currently logged in user is an admin or not? I presume I am to use the `Authourize` attributes?

    Thanks very much for your time.


    "Everything should be made as simple as possible, but not simpler" - Einstein

    Thursday, November 6, 2014 1:18 PM
  • Sorry I have just seen your edit. Thanks for the information...

    "Everything should be made as simple as possible, but not simpler" - Einstein

    Thursday, November 6, 2014 1:20 PM
  • Thanks for this. I am completely new to ASP.NET/MVC so I apologies if the following are foolish questions.

    I like the look of this, but how can I use this to pass to a view. Currently I have added an `IsAdmin` to my user database and I create a `ManageViewModel` which has the `IsAdmin` property which I pass to my Manage view. Inside the view I can then test if the current user is an admin and display the relevant partial views. What is not clear with the method you outline above is how I can access whether the currently logged in user is an admin or not? I presume I am to use the `Authourize` attributes?

    Thanks very much for your time.


    "Everything should be made as simple as possible, but not simpler" - Einstein

    Don't worry about your questions, that are good! Please, mark as answer if helpeful.
    Thursday, November 6, 2014 1:35 PM
  • I will mark it as the answer, thanks. Just a quick one. Currently I have a View called "Manage", I pass into this view a ViewModel that has a `IsAdmin` property. Inside the Razor view I can check if the user is admin via `@Model.IsAdmin`, it is not clear to me how to restrict partial views to admin only users using the above?


    "Everything should be made as simple as possible, but not simpler" - Einstein

    Thursday, November 6, 2014 1:40 PM
  • There are different approaches to achieve that. Why are your sharing the "Partial View" both to admin and users? In truth the authorization should just be on Actions, Controllers and not in views. In some too specific cases, I would recommend you to treat the IsAdmin flag in a if statement in the View.
    • Marked as answer by Pengzhen Song Thursday, November 13, 2014 12:10 PM
    Thursday, November 6, 2014 1:48 PM