In this module we are going to tidy up some loose ends pertaining to Security and Administration on the Home Index page. As noted at the end of the last module any user can currently create, edit, or delete Vehicles from the Home page. In this module we are going to lock down these features so that only Administrators and Staff can manage vehicles.
Locking Down the Vehicles controller
Modify the VehiclesController class in the Controllers folder of the FredsCars project with the changes shown below.
FredsCars\Controllers\VehiclesController.cs
using FredsCars.Models;
using FredsCars.Models.Repositories;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Rendering;
using Microsoft.EntityFrameworkCore;
namespace FredsCars.Controllers
{
[Authorize(Roles = "Administrator,Staff")]
public class VehiclesController : Controller
{
private IVehicleRepository _vehicleRepo;
private IVehicleTypeRepository _vehicleTypeRepo;
private ILogger _logger;
public VehiclesController(IVehicleRepository vRepo,
IVehicleTypeRepository vtRepo,
ILogger<VehiclesController> logger)
{
_vehicleRepo = vRepo;
_vehicleTypeRepo = vtRepo;
_logger = logger;
}
[AllowAnonymous]
public async Task<ViewResult> Details(int id)
{
Vehicle? vehicle = await _vehicleRepo.Vehicles
.AsNoTracking()
.Include(v => v.VehicleType)
.FirstOrDefaultAsync(v => v.Id == id);
if (vehicle == null)
{
ViewBag.NoVehicleMessage =
"Sorry, no vehicle with that id could be found.";
}
return View(vehicle);
}
... existing code ...In the controller code above, we have decorated the Vehicles controller with the Authorize attribute specifying only users with a role of Administrator or Staff can access any of the action methods in the controller.
[Authorize(Roles = "Administrator,Staff")]
public class VehiclesController : ControllerAs a result, any user who is not logged in with one of those roles who tries to create, edit, or delete a vehicle will be redirected to the Login page.
By decorating the Vehicles controller with the Authorize attribute we prevent users who are not logged in or who do not have the Administrator or Staff role from accessing any action method in the controller. This includes the Details action method which we want any user to be able to access. To allow access to users who are not logged in we apply the AllowAnonymous attribute to the Details action method.
[AllowAnonymous]
public async Task<ViewResult> Details(int id)Locking Down the Home Index view
In the previous section we locked down and secured the restricted features from the server side. In this section we are going to take care of the front end and remove the Create New link and Edit and Delete buttons for Vehicle results on the Home Index page for users who are not authenticated or who do not have the Administrator or Staff role.
Modify the _VehicleTableRowResult.cshtml file in the Views\Home folder of the FredsCars project.
FredsCars\Views\Home\_VehicleTableRowResult.cshtml
@model Vehicle
<tr>
<td>
<a asp-controller="Vehicles"
asp-action="Details"
asp-route-id="@Model.Id">
<img src="@Model.ImagePath"
class="result-image" />Details</a>
@if (User.IsInRole("Administrator") || User.IsInRole("Staff"))
{
<a asp-controller="Vehicles"
asp-action="Edit"
asp-route-id="@Model.Id">
<i class="bi bi-pencil text-success"></i></a>
<a asp-controller="Vehicles"
asp-action="Delete"
asp-route-id="@Model.Id">
<i class="bi bi-trash text-danger"></i></a>
}
</td>
<td>
@Html.DisplayFor(modelItem => Model.Status)
</td>
<td>
@Html.DisplayFor(modelItem => Model.Year)
</td>
... existing code ...In the partial view above which displays Vehicle results, the razor code now has a C# if/block that checks to make sure the current user has either the Administrator or Staff role and only then displays the Edit and Delete icon buttons.
Now modify the Index view of the Home Controller.
FredsCars\Views\Home\Index.cshtml
@model VehiclesListViewModel
@{
ViewData["Title"] = "Welcome";
}
<div class="container-fluid my-4 text-center">
<h1>Welcome to Fred's Cars!</h1>
Where you'll always find the right car, truck, or jeep.<br />
Thank you for visiting our site!
<div class="container-fluid mx-0 row"
style="margin-top: 20px; border: 0px solid black">
<!-- Categories -->
<div class="col-4 col-md-3 col-lg-2"
style="border-right: 2px solid black">
<div class="d-grid gap-2 button-grid">
@if (User.IsInRole("Administrator") || User.IsInRole("Staff"))
{
<p class="container-fluid text-start">
<a asp-controller="Vehicles" asp-action="Create">Create New</a>
</p>
}
<vc:categories-component />
</div>
</div>
... existing code ...In the above razor code we have applied the same if/block condition around the Create New link as we did for the Edit and Delete icon buttons.
In the screenshot below you can see that I am logged in as an Administrator so I have Edit and Delete buttons as well as the Create New link.
In the screenshot below I am logged out so the Delete and Edit icon buttons as well as the Create New link are not rendered.
What’s Next
In this module we just did a little housecleaning for security and administration. In the next module we just have one more thing left to do. And, that is to add a reset password feature.