ASP.NET User Privileges
I have created an ASP.NET MVC application with an entity framework. Due to client requirements, I will have to implement a privilege hierarchy where different users should / should not be allowed to view / view / edit different objects. And in some cases, we need to go even deeper to restrict users from editing a specific property on an object.
I have created several roles, but they are more general like "SystemAdmin" -role, "CustomerAdmin" -role etc
To make your narrower privileges, roles a day to go or is there something else I can use, or do I need to create some privileges myself in the database?
Early.
source to share
What I would do if I were you implements the spec pattern. Here's the basics of Template Specification:
public interface ISpecification<T>
{
bool IsSatisfiedBy(T entity);
}
Once you do that, I would follow through ISpecification<IPrincipal>
to specify the logic for each role. Then you can create an attribute that accepts a specification that will control authorization for a specific action. Here's an example of what this might look like:
public class AuthorizeWith : AuthorizeAttribute
{
public AuthorizeWith(Type specificationType)
{
Specification = Activator.CreateInstance(specificationType)
as ISpecification<IPrincipal>;
}
public ISpecification<IPrincipal> Specification { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return base.AuthorizeCore(httpContext) &&
Specification.IsSatisfiedBy(httpContext.User);
}
}
Hope it helps.
source to share
If you are using the badly named Authorization Manager / AzMan and the AzMan role provider, you can have extremely flexible roles (with nesting) and a simple binding to ASP.NET roles .
source to share