Asp.net Core MVC Roles and Authorization

Question

For a school project I am remaking the Top2000 website (dutch website with the top 2000 most liked songs per year). Now I have a problem with the roles and the authorization.

I want to add an admin role and give only user with that role access to the privacy page. This is what I got so far: Startup.cs

public void ConfigureServices(IServiceCollection services)
        {
            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));
            
            services.AddDbContext<db_a74225_top2000Context>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));
            services.AddDatabaseDeveloperPageExceptionFilter();

            services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
                .AddEntityFrameworkStores<ApplicationDbContext>();

            services.AddControllersWithViews();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IServiceProvider serviceProvider)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseMigrationsEndPoint();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }
            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
                endpoints.MapRazorPages();
            });
        }

HomeController.cs

namespace Top2000.Controllers
{
    public class HomeController : Controller
    {
        private readonly ILogger<HomeController> _logger;

        public HomeController(ILogger<HomeController> logger)
        {
            _logger = logger;
        }

        public IActionResult Index()
        {
            return View();
        }

        [Authorize(Roles = "Admin")]
        public IActionResult Privacy()
        {
            return View();
        }

        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
        public IActionResult Error()
        {
            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
        }
    }
}

Screenshot of dbo.AspNetUserRoles

Screenshot of dbo.AspNetUsers

Screenshot of dbo.AspNetRoles

I expect to get to the privacy page but when I login I still get Access Denied.

Screenshot of Access denied page

Answer 1

Judging from the screenshot of your database, you may not have successfully created a role, you can create a user with a role like the following method CreateRolesandUsers .

public class HomeController : Controller
{
    private readonly RoleManager<IdentityRole> _roleManager;
    private readonly UserManager<IdentityUser> _userManager;
    public HomeController(RoleManager<IdentityRole> roleManager, UserManager<IdentityUser> userManager)
    {
        _roleManager = roleManager;
        _userManager = userManager;
    }
    public async Task CreateRolesandUsers()
    {

        bool x = await _roleManager.RoleExistsAsync("Admin");
        if (!x)
        {
            var role = new IdentityRole();
            role.Name = "Admin";
            await _roleManager.CreateAsync(role);
        }
        var user = new IdentityUser();
        user.UserName = "123@123.com";
        user.Email = "123@123.com";
        string password = "Defaultpassword01!";

        IdentityResult chkUser = await _userManager.CreateAsync(user, password);

        if (chkUser.Succeeded)
        {
            var result = await _userManager.AddToRoleAsync(user, "Admin");
        }
    }
    public IActionResult Index()
    {
        return View();
    }
    [Authorize(Roles = "Admin")]
    public IActionResult Privacy()
    {
        return View();
    }
}

Your DbContext:

public class ApplicationDbContext : IdentityDbContext
{
    public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
        : base(options)
    {
    }
    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
        base.OnModelCreating(modelBuilder);
    }
}

Then in your startup change your code

 services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
            .AddEntityFrameworkStores<ApplicationDbContext>();

to

services.AddIdentity<IdentityUser, IdentityRole>()
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultUI()
                .AddDefaultTokenProviders();

When you access this method to successfully create a role, you can log in to the user and then access Privacy.