-1

I have an existing ASP.NET MVC application that is working well. It provides a select group of people with a set of management functionality. I am now tasked with allowing a much larger group access to a very limited portion of the exact same application.

Is an ASP.NET MVC Area the way to do this? The reason I ask is because I would like to have all users visit the same web page (mysite.com for example) and I would like the look and feel to remain the same (take advantage of the same master page files or _Layout.cshtml).

The current setup, is that all users have equal access (full) to all data the system presents.

So when Bob goes to

/People/Index

he sees everything, and when Sally does, she sees the same thing.

Now I need to allow a bunch more individuals to access this same thing. So when Cindy goes to

/People/Index

All she will see are people who report directly to her, and the same for Dave, and everyone else who is not specifically part of the "admin" group who get full access to everything.

The uri here, is not important to me; but what I do want to do is be able to recycle the same layouts and views, while using a different set of controllers (which have additional business logic to only show the subset of data).

Is an ASP.NET MVC Area the correct way to do this? If not, a pointer in the right direction?

Nate
  • 30,286
  • 23
  • 113
  • 184
  • Have you considered and rejected just restricting access to the various parts of the view as per: http://stackoverflow.com/questions/4881602/authorise-part-of-a-view-in-asp-net-mvc ? – Greg Smith Nov 20 '12 at 20:01

2 Answers2

1

If the only requirement is that the data be limited to those people/items directly related to the user, I would do this in your data tier. When you go to load the list of users, return only the users Cindy has access to. Perhaps have a user-table flag for whether the user is an admin user or not.

public IEnumerable<User> GetUsers(User requestingUser)
{
    if(requestingUser.IsAdmin) // return your full list of users

    return // list of users filtered by reporting to requestingUser
}

If you do all this logic in your data layer, the users all use the same site and go through the same page-flow, just what displays in the pages is limited. Of course you could also test the user's admin flag when rendering certain parts of views as well, etc.

Rick Petersen
  • 734
  • 5
  • 15
  • This seems like something that I might want to do, but I was hoping to get it via something built-in instead of relying on my code to separate them. – Nate Nov 20 '12 at 20:07
0

I think that you are on a good Track with ASP MVC something you want to look it to is to implement roles in your application and based on roles present certain information to the user if the user do the same functionality I would not go with areas if I understand your question correctly you are not developing different aspect under the same app like Blog, Shopping and so on which have totally different functionality please look at Roles and Memberships

http://www.asp.net/web-forms/videos/how-do-i/how-do-i-secure-my-site-using-membership-and-roles

COLD TOLD
  • 13,513
  • 3
  • 35
  • 52
  • I have tried with roles, and I ran into issues with `Roles.AddUserToRole("Admin")` because I had no provider (I don't really want one, because I want to set the role every time the user logs in) – Nate Nov 20 '12 at 20:06
  • then write your own role management in the user table like give ceratin roles to user admin, editor and so on and then based on the user login get his/her role and present his specific view – COLD TOLD Nov 20 '12 at 20:08