1

Let's say I have a ASP.NET MVC 4 application. I need to provide different privileges on different pages for same users. For example, The same user could be an administrator on one page and a guest on another. MVC by default provides system wide user privileges. I dug up some information that I should use custom membership providers to achieve my goal, but am not yet sure about this. Can someone suggest a solution?

The roles should behave the same on the same type of pages. Let's say that a topic's content, on a forum, could be edited only by the person who created it or by a moderator. Yet the user will not be able to edit someone else's topic and the moderator will not be able to edit a topic that is not a part of his topic subject group. The role system in my application should behave similarly.

tereško
  • 58,060
  • 25
  • 98
  • 150
Andrew
  • 13
  • 7
  • You would just implement the logic yourself. Say in the `/foo/bar` action, you just logically check if the user is in a role and allow or deny the action, then in `/foo/baz` you check again and allow or deny. You should note, though, that this is going to complicate things. Consider having multiple roles instead of a single role that means different things in different controllers/actions. – xdumaine Nov 20 '13 at 13:31
  • I would say look in to using multiple roles. e.g. instead of Administrator consider using SectionAdministrator and OtherSectionGuest. – Brad Christie Nov 20 '13 at 13:32
  • You can put AuthorizeAttribute on your controller's actions and provide Users property with users which should have access to particular action. – Yevgeniy.Chernobrivets Nov 20 '13 at 13:32

1 Answers1

0

You don't necessarily have to create a custom membership provider, but you are going to have to think about permissions differently.

To start, replace the word "Role" with "Operation" in your head.

You need to create atomic, fine grained permissions in your application such as:

  • UserPropertiesView
  • UserPropertiesModify
  • CreateUser
  • DeleteUser
  • RolesView
  • RolesModify
  • CreateRole
  • DeleteRole

It might be difficult at first, but this gives you great control and flexibility over assigning operations to individual users. Since different pages will have different operations, you will be able to customize their access.

Unfortunately, the out of the box ASP.Net membership and role providers all work off the concept of a course grained Role. So long as you know they are Operations, and not roles, you will be good.

Abstractions are your friend here:

public static class Permissions
{
   public static bool Operation(string op)
   {
      //this class can be a lot better
      // it can be testable, and check
      // error conditions, but this is
      // only an example :)
      return HttpContext.Current.User.IsInRole(op);
   }
}

Somewhere you will want to group all these operations up into Roles, but that will require some custom programming on your part.

Custom Providers really aren't that scary, and you can extend the built in ones easily.

Josh
  • 44,706
  • 7
  • 102
  • 124
  • Thank you, Josh. I actually thought of this solution before I asked the question.... But. I was specifically asked not to implement this solution, because it is "too flexible". :) Yet, I believe this is the best solution so far. – Andrew Nov 20 '13 at 15:03