1

I'm looking into how to implement authorization in MVC 4 (.NET 4.5), and have specifically been reading about SimpleMembership. Is there any typical or accepted way in MVC to have roles that have additional properties aside from a name?

For example, suppose you were designing a CMS, and wanted to be able to have a role called something like Writer that let a user make modifications. However, you also want the role to be restrictive to a single page. The only way that I know of to do that would be to have a separate role for each page, where each role might be named something like Writer_<PageID>. Is there any pattern that's nicer than this, or is that pretty much all we can do?

Ideally, I'm wondering if there'd be some way to be able to have something remotely like:

public ActionResult EditPage(Page page) {
    WriterRole role = new WriterRole(page);

    if (!User.IsInRole(role)) {
        return NotAuthorized();
    }

    // Edit...
}

Instead of:

public ActionResult EditPage(Page page) {
    string role = "Writer_" + page.Id;

    if (!User.IsInRole(role)) {
        return NotAuthorized();
    }

    // Edit...
}
Eric
  • 5,842
  • 7
  • 42
  • 71
  • I glanced at the simple membership and it didn't seem so simple to me. I decided to stick with the current membership provider for my ongoing projects and I love it. – The Muffin Man Feb 20 '13 at 23:28
  • @Nick, would what I'm looking for be doable outside of SimpleMembership? – Eric Feb 21 '13 at 16:19
  • 1
    To solve your problem you're going to need to have a database table that holds userid and page id for pages that are allowed to be viewed. You could make an attribute out of this probably. I don't think roles have anything to do with it, your criteria is too specific for them. – The Muffin Man Feb 21 '13 at 16:42
  • @Nick, thanks, that's what I suspected, but wanted to confirm. – Eric Feb 21 '13 at 16:43
  • I'm not too familiar with attributes but I suspect you could grab the page id from the route data and eventually check your database. If not authorized you could redirect to a custom error page. (I would return the HTTP code for not authorized probably). – The Muffin Man Feb 21 '13 at 16:46

1 Answers1

2

What I would do is have one Writer role then check the UserId to see if the person owns the editable resource.

[Authorize(Roles = "Writer")]
public ActionResult EditPage(Page page) {
    if (User.UserId == page.UserId) { ... }
}
Jasen
  • 14,030
  • 3
  • 51
  • 68
  • That wouldn't work for the case where a page could have multiple editors. I suppose a page could store a list of its editors, or a user could store a list of its editable pages, but it seems dirty to be separated from a role like that (indeed, it takes the whole point out of having the role at all). – Eric Feb 21 '13 at 16:09