Click here to Skip to main content
13,353,462 members (38,339 online)
Click here to Skip to main content
Add your own
alternative version


7 bookmarked
Posted 14 Jun 2012

Field Based Security in ASP.NET MVC 3 for Different Roles

, 14 Jun 2012
Rate this:
Please Sign up or sign in to vote.
MVC3 Role base security.


This article will show how we can achieve security for each field of your web form in ASP.NET MVC3 for different roles of users.

Override AuthorizeArrtibute and Add Additional Value in Metadata

In order to provide security for each field in ASP.NET application, we can override the Authorize attribute as follows:

public Class ReadOnlyAuthorizeAttribute : Attribute, ImetaDataAware
   public String Roles {get; set;}
   public bool IsReadOnly
        If(this.Roles ! = null)
           var roleList = this.Roles.Split(‘,’).Select(o => o.Trim()).ToList();
           return !(roleList.Where(role => HttpContext.Current.User.IsInRole(role)).Count() > 0);
           return true;

   Public void OnMetataDataCreated(ModelMetaData metadata)
     Metadata.AdditinalValues["IsReadOnly"] = this.IsReadOnly;

The above code checks the logged in user role that is provided along with property Authorize attribute. And on that basis override Metadata to add additional value IsReadOnly.

Model Changes

In Model apply ReadOnlyAuthorize attribute and apply the roles as shown below:

public string Name {get; set;}

Because of this attribute IsReadOnly will return true for Admin users. Also it will assign Additional value IsReadOnly as true.

Editor Template

Now create a new editor template for Text (String.ascx) and check where Name is readonly or not as shown below: 

   var attribute = new System.Collection.Generic.Dictionary<String, object()> ;
    var isReadOnly = false;
      isReadOnly = (bool)ViewData.ModelMetaData.additionalValues["IsReadOnly"];

    If(ViewData.ModelMetaData.IsReadOnly || isReadOnly)
        attribute.Add("disabled"," disabled");

<%: Html.TextBox(string.Empty, ViewData.TemplateInfo.FormattedModelValue, attribute)%>

View Changes

In view use EditorFor Name field as show:

<%: Html.EditorFor(m => Model.Name) %>

As in Model, Name is string so it will go to above editor template String.ascx. And in template it will check for IsReadOnly value. On that basis it will add readonly and disabled html attribute.

In this way we can make Name field as editable as well as readonly by having ReadOnlyAuthorize attribute with different roles.

Similarly we can have editor templates for different controls like TextBox, DropDown, TextArea etc. And can make that field as readonly or editable depending upon the logged in user roles.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Ajay Bachale
Technical Lead
India India
No Biography provided

You may also be interested in...


Comments and Discussions

QuestionGood! Pin
phung van hung10-Aug-12 18:32
memberphung van hung10-Aug-12 18:32 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.180111.1 | Last Updated 14 Jun 2012
Article Copyright 2012 by Ajay Bachale
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid