MVC4 membership, presenting and hiding page controls...

LordNorbury · 21-12-2014 08:12PM #1

Hi folks,

I have an eCommerce website that I developed using Webforms. In the office, the desktop version (that I built myself using .NET Webforms), is used to manage transactions/data/DB records as they are created by customers and pass through our company.

I decided to build a mobile version of the site which sits on a sub-domain of the main site/domain and I've posted here before on the forum in relation to making the transition from Webforms to MVC.

I'm looking for some advice again, this time specifically on Membership and how to integrate membership fully into my MVC4 mobile solution.

I'm using Themeroller to theme my page and am happy with how it renders on a smartphone, and have a login page which lets me login/logout, etc and this all works fine.

What I'm trying to do now is get my membership to the next level, and I did this easily enough before for my desktop website using Webforms, which is to control what the logged in user can see, depending on whether they are authenticated or not.

This was very easy to do using Webforms, as I'd just set a control to visible = true or false in an event handler, using an if.user.authenticated expression.

Obviously in MVC there are no event handlers, so I'm just looking to be pointed in the right direction for how to allow an authenticated user see and use buttons and textboxes, dropdown lists, radio/checkbox buttons etc on a page, and if they are not authenticated, then the controls on the page are not visible to them?

Thanks to any folks on thread for any help with this...

Raging_Ninja · 21-12-2014 09:03PM

Create views with view models - one for the logged in user, one for the unauthenticated user. Controller then decides which to display.

That'll be a lot less hassle in the long run than putting a load of if/else logic in the views.

LordNorbury · 21-12-2014 09:09PM

Raging_Ninja wrote: »

Create views with view models - one for the logged in user, one for the unauthenticated user. Controller then decides which to display.

That'll be a lot less hassle in the long run than putting a load of if/else logic in the views.

But how do I stop someone who knows the path for the view rendered for the authenticated user, hard typing that into the browser and then seeing that view even if they are not authenticated? For the authenticated user should I still use a if.user.isauthenticated on the controller for that view?

Raging_Ninja · 21-12-2014 09:39PM

Create an actionresult which accepts the query from the user.

If the user is authenticated, use a RedirectToAction to send the request to an actionresult which has been decorated with the Authorized attribute (you can also specify the the roles allowed if you want) - that will handle somebody trying to access the secure content.

LordNorbury · 21-12-2014 11:16PM

Raging_Ninja wrote: »

Create an actionresult which accepts the query from the user.

If the user is authenticated, use a RedirectToAction to send the request to an actionresult which has been decorated with the Authorized attribute (you can also specify the the roles allowed if you want) - that will handle somebody trying to access the secure content.

I'm a bit unsure of the meaning of what you've suggested above which I've underlined, do you mean I need to do something with the UserID string of the authenticated user as in check if they are a user against the DB and if they are, then display XYZ? Sorry if that sounds like a stupid question but MVC is kinda not coming easily to me given my background in Webforms...

Raging_Ninja · 21-12-2014 11:45PM

http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx

The Authorized attribute means the action method cannot be reached unless the user is logged in. You can also use it to specify roles or users which are allowed to use it.

There's a few blogs around which go into good detail explaining how this all works.

LordNorbury · 22-12-2014 01:00AM

Raging_Ninja wrote: »

http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx

The Authorized attribute means the action method cannot be reached unless the user is logged in. You can also use it to specify roles or users which are allowed to use it.

There's a few blogs around which go into good detail explaining how this all works.

Thanks a mil for pointing me in the right direction, I'll give this a go tomorrow!

LordNorbury · 23-12-2014 10:31AM

Just a quick question folks following on from the very helpful advice I got above from Ninja. Below is what I had in my Home Controller for a view called MyFirstPage. I have membership now running on my site so a user can register and log on and log off. This however had no bearing on how the view below was displayed.

[PHP] public ActionResult MyFirstPage()
{
return View();
}
[/PHP]

I changed the code above to:

[PHP]
[Authorize]
public ActionResult MyFirstPage()
{
return View();
}
[/PHP]

and I have no noticed that a user that is NOT authenticated, cannot access this view, it appears that they are automatically routed back to the page they are trying to access the above view from, but a user that IS authenticated can see the view. Am I right here in my thinking, is it actually this easy to secure a page in this manner, just by adding [Authorize] to the top of the code like this for the view in your controller?

Thanks in advance for any suggestions or comments with this.

MVC4 membership, presenting and hiding page controls...

Comments