Working with Roles in ASP.NET MVC 4+

http://www.dotnetfunda.com/articles/show/2648/working-with-roles-in-aspnet-mvc-4

In this article, We'll look into how to create a new role, delete a role and attach a user to a specific role in ASP.NET MVC using default Role provider under System.Web.Security namespace.

Introduction

Authentication (Login and Registration) is simple in ASP.NET MVC as the default project template provides all the necessary controller code, model and view to register and login. However adding roles and assigning roles to a particular user seems to be lost in all these stuffs. In this article, we will learn all that is related with Roles for a particular user in ASP.NET MVC 4.

Objective

The objective of this article is to explain how to work with Roles in ASP.NET MVC 4 +.

Assumption

Here we are assuming that we have used the default ASP.NET MVC template (ASP.NET MVC 4  Web Application project type and Internet Application template) that automatically creates a database for us when we try to register for the first time and the default database tables it creates for roles are following

1. webpages_Roles
2. webpages_UserInRoles

Creating a new role in ASP.NET MVC

In order to create a new Role, the default template doesn't provide any UI, so we have to build it our self. Below is the simple UI we have built in Razor underViews/Account folder (In fact all views we are going to work with in this article are in this folder). In this case we have used a different Layout page as we do not want the default website Layout to appear.

@{    ViewBag.Title = "RoleCreate";    Layout = "~/Views/Shared/_LayoutAdmin.cshtml";}<div class="spacerBody">    <p>&nbsp;</p>    @Html.ActionLink("Roles", "RoleIndex") | @Html.ActionLink("Add Role to User", "RoleAddToUser")<h2>Role Create</h2>@using(Html.BeginForm()){    @Html.AntiForgeryToken()    @Html.ValidationSummary(true)    <div>    Role name</div>    <p>        @Html.TextBox("RoleName")    </p>    <input type="submit" value="Save" />}    </div>

Picture - 1

Notice that we have a simple TextBox in the above View with the name as  "RoleName" that we are going to use to create a new Role into our database.

Below are two methods in our AccountController.cs responsible for creating a new Role.

        [Authorize(Roles = "Admin")]        public ActionResult RoleCreate()        {            return View();        }        [Authorize(Roles = "Admin")]        [HttpPost]        [ValidateAntiForgeryToken]        public ActionResult RoleCreate(string RoleName)        {                            Roles.CreateRole(Request.Form["RoleName"]);                // ViewBag.ResultMessage = "Role created successfully !";                        return RedirectToAction("RoleIndex", "Account");        }

The first method simply renders the view provided the logged in user has Roles as "Admin" assigned to the database (because of Authorize attribute in this method). So to get started first go to your database table "webpages_Roles" and insert and "Admin" role then map this role to the user id you are logged in with in the"webpages_UsersInRoles" table.

In above case, I am logged in to the application as "SheoNarayan" that has UserId as "2" in the "UserProfile" table that is created by default by ASP.NET MVC project.

Now when Save button is clicked in Picture - 1, the 2nd method of the above code snippet fires and calls the "Roles.CreateRole" method to create a role that is entered into the Textbox.

Listing Roles in ASP.NET MVC

To list roles created in ASP.NET MVC, we have created another view called "RoleIndex" and here is the Razor code for this.

@{    ViewBag.Title = "Role Listing";    Layout = "~/Views/Shared/_LayoutAdmin.cshtml";}<p>&nbsp;</p><div class="spacerBody">    @Html.ActionLink("Create New Role", "RoleCreate") | @Html.ActionLink("Add Role to User", "RoleAddToUser")<h2>Role Index</h2>    <div class="table">            @foreach (string s in Model){    <div class="tr">        <div class="td">            @s        </div>        <div class="td">            <span onclick="return confirm('Are you sure to delete?')">        <a href="/Account/RoleDelete?RoleName=@s" class="delLink"><img src="/images/deleteicon.gif" alt="Delete" class="imgBorder0" /> Delete</a>                           </span>        </div>    </div>}        </div></div>

In this view, we are simply looping through the Model we are receiving from the controller. The controller method that is responsible to render all the roles are below.

        [Authorize(Roles = "Admin")]        public ActionResult RoleIndex()        {            var roles = Roles.GetAllRoles();            return View(roles);        }

The above code simply executes Roles.GetAllRoles() method that gives all roles from the webpages_Roles database table in the form of string array and returns to the view. The same is being used to list the roles on the view.

You must have noticed that we have also added a Delete link against each Role so that we can delete a role too. The Delete link passes the Role name as querystring to theRoleDelete method of the controller, lets see that too.

Delete a Role in ASP.NET MVC

To delete a role, we have just created a method in the controller named "RoleDelete" and making sure that it gets executed only when an Admin user is trying to browse it.

        [Authorize(Roles = "Admin")]        public ActionResult RoleDelete(string RoleName)        {                            Roles.DeleteRole(RoleName);                // ViewBag.ResultMessage = "Role deleted succesfully !";                                    return RedirectToAction("RoleIndex", "Account");        }

This method takes "RoleName" as parameter and calls Roles.DeleteRole method to delete a role.

Note that there is no method in the Roles class called "EditRole" or "UpdateRole" so be careful while creating a new role and deleting a new role.

Assigning a Role to the User in ASP.NET MVC

Now, lets see how to assign a role to the user, to do that we have created a simple form that has a TextBox to accept username and a DropDown that lists all the roles from the database and it looks like below. In the same view, we have also created another form that accepts username and list all the roles associated with that username.

@{    ViewBag.Title = "Role Add To User";    Layout = "~/Views/Shared/_LayoutAdmin.cshtml";}<div class="spacerBody">    <p>&nbsp;</p>    @Html.ActionLink("Create New Role", "RoleCreate") | @Html.ActionLink("Roles", "RoleIndex")        <h2>Role Add to User</h2>@using(Html.BeginForm("RoleAddToUser", "Account")){    @Html.AntiForgeryToken()    @Html.ValidationSummary(true)    <div class="message-success">@ViewBag.ResultMessage</div>    <p>        Username : @Html.TextBox("UserName")        Role Name: @Html.DropDownList("RoleName", ViewBag.Roles as SelectList)            </p>        <input type="submit" value="Save" />}<div class="hr"></div>@using(Html.BeginForm("GetRoles", "Account")){    @Html.AntiForgeryToken()    <p>Username : @Html.TextBox("UserName")         <input type="submit" value="Get Roles for this User" />    </p>}       @if(ViewBag.RolesForThisUser != null) {    <text>    <h3>Roles for this user </h3>    <ol>@foreach (string s in ViewBag.RolesForThisUser){    <li>@s</li>   }                </ol>    </text>}        </div>

The Controller code for this view page looks like below

        /// <summary>        /// Create a new role to the user        /// </summary>        /// <returns></returns>        [Authorize(Roles = "Admin")]        public ActionResult RoleAddToUser()        {            SelectList list = new SelectList(Roles.GetAllRoles());            ViewBag.Roles = list;            return View();        }        /// <summary>        /// Add role to the user        /// </summary>        /// <param name="RoleName"></param>        /// <param name="UserName"></param>        /// <returns></returns>        [Authorize(Roles = "Admin")]        [HttpPost]        [ValidateAntiForgeryToken]        public ActionResult RoleAddToUser(string RoleName, string UserName)        {                if (Roles.IsUserInRole(UserName, RoleName))                {                    ViewBag.ResultMessage = "This user already has the role specified !";                }                else                {                    Roles.AddUserToRole(UserName, RoleName);                    ViewBag.ResultMessage = "Username added to the role succesfully !";                }                        SelectList list = new SelectList(Roles.GetAllRoles());            ViewBag.Roles = list;            return View();        }        /// <summary>        /// Get all the roles for a particular user        /// </summary>        /// <param name="UserName"></param>        /// <returns></returns>        [Authorize(Roles = "Admin")]        [HttpPost]        [ValidateAntiForgeryToken]        public ActionResult GetRoles(string UserName)        {            if (!string.IsNullOrWhiteSpace(UserName))            {                ViewBag.RolesForThisUser = Roles.GetRolesForUser(UserName);                SelectList list = new SelectList(Roles.GetAllRoles());                ViewBag.Roles = list;            }            return View("RoleAddToUser");        }

The first method of above code snippet simply gets all the roles from the database using "GetAllRoles()" method into SelectList and sets into the ViewBag.Roles. The same is being populated as DropDown into the view.

Clicking on Save method fires the 2^nd method that first checks whether this user is already in the selected role, if not then calls "Roles.AddUserToRole" method to adds the username entered into textbox to associate with the role selected in the DropDown.

Listing Roles associated with a particular user in ASP.NET MVC

To list roles associated with a particular username, we have created another form in the same view that executes GetRoles method of the controller and calls"Roles.GetRolesForUser" method to get all roles associated with the username entered into the textbox. These roles are converted into SelectList and then set as "Roles into the ViewBag that ultimately renders the roles associated with a particular username.

How to remove a user from a role in ASP.NET MVC?

In order to remove a user from a particular role, I have again created a small form in the same above view (RoleAddToUser.cshtml) and here is the view code for this.

    <h3>Delete A User from a Role</h3>@using (Html.BeginForm("DeleteRoleForUser", "Account")){    @Html.AntiForgeryToken()    @Html.ValidationSummary(true)    <p>        Username : @Html.TextBox("UserName")        Role Name: @Html.DropDownList("RoleName", ViewBag.Roles as SelectList)            </p>        <input type="submit" value="Delete this user from Role" />}

Writing the username in the TextBox, selecting a role from the DropDown and clicking Save button submit this form to the DeleteRoleForUser action method in the Accountcontroller.

In the Account controller, my action method looks like this 

        [HttpPost]        [Authorize(Roles = "Admin")]        [ValidateAntiForgeryToken]        public ActionResult DeleteRoleForUser(string UserName, string RoleName)        {                if (Roles.IsUserInRole(UserName, RoleName))                {                    Roles.RemoveUserFromRole(UserName, RoleName);                    ViewBag.ResultMessage = "Role removed from this user successfully !";                }                else                {                    ViewBag.ResultMessage = "This user doesn't belong to selected role.";                }                ViewBag.RolesForThisUser = Roles.GetRolesForUser(UserName);                SelectList list = new SelectList(Roles.GetAllRoles());                ViewBag.Roles = list;                        return View("RoleAddToUser");        }

In the above code snippet, I am checking whether the given username exists for that role or not, if yes then calling "Roles.RemoveUserFromRole" method. Following code is to write proper message and to make sure that the form is again getting loaded with the default data in the Role DropDown.

Checking for a particular role before performing any action in ASP.NET MVC

Now, there might be scenario where you need to check into the code block for a particular role for the  user before performing certain activity, to do that use below code

if (User.IsInRole("Admin"))            {                // Code to execute only when the logged in use is in "Admin" role            }

The above code gets executed only when the logged in user belongs to "Admin" role.

Dig more methods of the "Roles" class and you will find many more interesting methods that helps you working with user roles in ASP.NET MVC.

Conclusion

Working with roles in ASP.NET MVC default project template is little tricky and this article explains that. Hope this article would be useful for people looking for working with Roles and managing roles in ASP.NET MVC.

Thanks for reading, do let us know your feedback and share this article to your friends and colleague if you liked. Do vote for this article.