I finally got my MVC 4 application all set up with SimpleMembership, but now have run into a new problem. I have a menu system (in a sidebar) that gives users access to various functionality throughout the app. I recently realized that, in order to be somewhat user-friendly, I need to disable or remove various menu links based on roles. So I set up a role system and a relationship to these menu links, which works perfectly. However, the "basic site access" role should not have access to all of the links in the menu (and their corresponding controllers/actions). Previously, I had given site access by simply applying the Authorize attribute globally, via my filter config:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new AuthorizeAttribute());
}
Now I've figured out that, in order to control "basic" access to the app, I would need to add individual Authorize attributes at the action level (with the "admin" role having full access). While this is fine, albeit somewhat annoying, it doesn't seem very scalable. What if my client adds a new role through the administration interface and wants to control access to various tasks? I have already coded the menu system to disable links dynamically, based on what roles have access to which tasks. But there's no way (that I know of) to dynamically apply different roles to the Authorize attribute.
Though I've read about why SimpleMembership may not be the bee's knees, I've just finished migrating from ASP.NET Membership (which had serious shortcomings of its own), and I certainly do not want to roll my own user/role management system. Has anyone successfully implemented something to handle this scenario?
