Implementing IAutorizationFilter in ASP.NET MVC 4

Question

I'm trying to build filters on ASP.NET MVC 4 based on IAuthorizationFilter to limit access to certain controllers.

The idea is, that if an end-user of the web-app have the appropriate privilege his access is allowed, in other case, he don't.

So I'm trying at final, to get its BOOL privileges based on User.Identity.Name and then check if he has the right or not.

Do I need to implement filters as many as I have BOOL privilges or only one filter can do the work? How do I to implement this? Any brilliant idea, please?

Answer 1

No, you don't have to do that. How you determine the privileges of each user can be either done within OnAuthorization or refactored into a separate static method and called within OnAuthorization.

But, when you use use the custom authorize attribute for either Action method or for a Controller, you should be able to say that only users with Create permission can access the Action or users with Read permission can access this controller. Please take a look at this blog post.

http://codeutil.wordpress.com/2013/05/14/forms-authentication-in-asp-net-mvc-4/#mvc-implement-custom-authorization-filter

you will notice there are two Variables defined

public int StartTime { get; set; }
public int EndTime { get; set; }

instead, you can use

public bool AllowRead {get;set;}
public bool AllowWrite {get;set;}

then use the authorize attribute as follows

[HttpPost]
[CustomAuthorize(AllowRead = false, AllowWrite = true)]
public ActionResult Create(Model model)
{
    //your code
}

above is just one way of doing it. Another method is to use an enum flag. Please take a look at this answer.

How could I use my own database table for MVC 4 user control (and authorizing with boolean fields in role table)?