Tienda Mi Cholo uses ASP.NET Core’s cookie-based authentication and the built-inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/interezante456-pixel/nuevo-proyecto-viernes/llms.txt
Use this file to discover all available pages before exploring further.
[Authorize] attribute system to enforce role-based access control (RBAC) across the entire application. Roles are stored as rows in the Roles table and linked to each user via a Rol_ID foreign key on the Usuarios table. When a user logs in, their role name is embedded directly into the authentication cookie as a ClaimTypes.Role claim, which ASP.NET Core then evaluates automatically on every request against any [Authorize(Roles = "...")] attribute present on a controller or action.
The Three Roles
Three roles are seeded into the database during initial migration and serve as the foundation for all permission decisions in the system.Administrador
Full access to every feature in the system, including user management, role management, and all destructive operations. The seeded admin account (
admin@micholo.com) is assigned this role by default.Gerente
Broad operational access — can manage products, categories, and clients, and can delete sales to correct errors. Cannot access user or role administration.
Cajero
Day-to-day point-of-sale access. Can browse inventory, register new clients, and create sales. Cannot modify products, categories, or delete any records.
Role management (creating, editing, and deleting roles) is restricted exclusively to the Administrador role. The
RolController is decorated with [Authorize(Roles = "Administrador")] at the class level, so no other role can access any of its actions.Permission Matrix
The table below is derived directly from the[Authorize(Roles = "...")] attributes on each controller and action. A controller-level [Authorize] (without a role restriction) means all three roles have access; a controller-level [Authorize(Roles = "Administrador")] means only Administrador can access any action within it.
| Feature | Administrador | Gerente | Cajero |
|---|---|---|---|
Dashboard (Home/Index) | ✓ | ✓ | ✓ |
View Sales list (Venta/Lista) | ✓ | ✓ | ✓ |
Create New Sale (Venta/Nueva) | ✓ | ✓ | ✓ |
Delete Sale (Venta/Eliminar) | ✓ | ✓ | ✗ |
View Products (Producto/Lista) | ✓ | ✓ | ✓ |
Create Product (Producto/Nuevo) | ✓ | ✓ | ✗ |
Edit Product (Producto/Editar) | ✓ | ✓ | ✗ |
Delete Product (Producto/Eliminar) | ✓ | ✓ | ✗ |
Toggle Product Status (Producto/CambiarEstado) | ✓ | ✓ | ✗ |
View Categories (Categoria/Lista) | ✓ | ✓ | ✓ |
Create Category (Categoria/Nuevo) | ✓ | ✓ | ✗ |
Edit Category (Categoria/Editar) | ✓ | ✓ | ✗ |
Delete Category (Categoria/Eliminar) | ✓ | ✓ | ✗ |
View Clients (Cliente/Lista) | ✓ | ✓ | ✓ |
Create Client (Cliente/Nuevo) | ✓ | ✓ | ✓ |
Edit Client (Cliente/Editar) | ✓ | ✓ | ✗ |
Delete Client (Cliente/Eliminar) | ✓ | ✓ | ✗ |
Manage Users (Usuario/*) | ✓ | ✗ | ✗ |
Manage Roles (Rol/*) | ✓ | ✗ | ✗ |
How Authorization Works
Authorization is applied at two levels: the controller level (applies to every action in the class) and the action level (overrides or supplements the controller-level attribute for a specific endpoint). The example below is taken directly fromVentaController.cs and shows both patterns in the same controller:
AccesoDenegado view served by AccesoController.
Claims at Login
When a user successfully authenticates,AccesoController.Login builds a ClaimsIdentity with five claims that are persisted in an encrypted cookie for the lifetime of the session. These claims are then available throughout the application via HttpContext.User and HttpContext.Session.
| Claim | Type | Source field | Purpose |
|---|---|---|---|
ClaimTypes.Name | Standard | Usuario.NomUsuario | Displayed as the logged-in username; used by User.Identity.Name |
ClaimTypes.Email | Standard | Usuario.CorreoUsuario | Identifies the user’s email address within the claims principal |
ClaimTypes.Role | Standard | Rol.NomRol | Evaluated by every [Authorize(Roles = "...")] attribute in the application |
"IdUsuario" | Custom | Usuario.ID_Usuario | Stored in session and used when recording Usuario_ID on new Venta records |
"NomCompleto" | Custom | Usuario.NomCompleto | Displayed in the navigation bar as the user’s full display name |