Seth A Burleson
Posted on May 7, 2021
Part 2 in a series on security for an MVC blog site. See Part 1 here
Step 3: Let yourself back in.
So your application is now so secure that even you can't get in.
Lets make a dataservice with a method that will call 2 other functions:
public class DataService
{
/* Any injected services go here!!
Don't forget the constructor!! */
public async Task ManageDataAsync()
{
//Task 1: Seed roles (create and enter into Authorization system
await SeedRolesAsync();
// Task 2 seed a few users into AspNetUsers
await SeedUsersAsync();
}
I used a dataservice to seed roles when there are none. (this is the first method in that service)
public async Task SeedRolesAsync()
{
//Are there roles in the system?
if (_context.Roles.Any())
{
return;
}
//Spin through enum and do stuff
foreach (var role in Enum.GetNames(typeof(BlogRole)))
{
//create Role in system for each role
await _roleManager.CreateAsync(new IdentityRole(role));
}
}
BlogRole is an enum with Administrator and Moderator are the options, so now we have 2 roles that exist in our database.
Lets then seed an adminUser
private async Task SeedUsersAsync()
{
if (_context.Users.Any())
{
return;
}
var adminUser = new BlogUser()
{
Email = "AdminEmail@AdminMailAddress.com",
UserName = "AdminEmail@AdminMailAddress.com",
FirstName = "Admin",
LastName = "Istrator"
//OTHER DATA FOR USER CLASS
};
await _userManager.CreateAsync(adminUser, _configuration["AdminPassword"]);
await _userManager.AddToRoleAsync(adminUser, BlogRole.Administrator.ToString());
}
Where my Admin Password is in my appSettings.json, to keep it private from github. You may also use IdentityUser where I used BlogUser to initialize a user.
The ManageDataAsync is called in your program.cs file
Where the contents of main look like:
public static async Task Main(string[] args)
{
//CreateHostBuilder(args).Build().Run();
var host = CreateHostBuilder(args).Build();
var dataService = host.Services.CreateScope().ServiceProvider.GetRequiredService<DataService>();
await dataService.ManageDataAsync();
host.Run();
}
Step 4: Hiding things from the unregistered masses
If a new unregistered user comes to my site, I don't want them to click on something that takes them to a page where access is denied. In my view, I'll add a simple if statement
@if (User.IsInRole("Administrator"))
{
<li class="nav-item">
<a class="nav-link" asp-area="" asp-controller="Blogs" asp-action="Index">Blogs</a>
</li>
<li class="nav-item">
<a class="nav-link" asp-area="" asp-controller="Posts" asp-action="Index">Posts</a>
</li>
}
The inner content will be whatever you want to display to users in the administrator role. Adding an || to your if can allow for multiple roles, and else statements can be used to display different data for different roles.
An interesting idea is to give the user a gray button that redirects to a purchase page if they aren't a premium user, showing them what they're missing and giving them an option to upgrade.
Posted on May 7, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
