how else performing fine grained access control in mvc app? i.e. user may related multiple objects , have different access requirements each object. can achieved using asp.net identity claims / roles? or have role out own?
is there design pattern can follow if need roll out own?
no doubt there plenty of ways this, asp.net-mvc leads extensibility of authorizeattribute, eg:
[attributeusage(attributetargets.class | attributetargets.method)] public sealed class actionpermissionattribute : authorizeattribute { public override void onauthorization(authorizationcontext filtercontext) { // override onauthorization, not authorizecore authorizecore force user login prompt rather inform user of issue. var controller = filtercontext.actiondescriptor.controllerdescriptor.controllername; var action = filtercontext.actiondescriptor.actionname; bool authorised = ... // check permissions here if (!authorised) throw new unauthorizedaccessexception("you not authorised perform action."); base.onauthorization(filtercontext); } } this can applied controller (or base controller) doesn't need on every single action.
the actual check permissions can simple or complicated want - eg store controller + action + active directory group in database allow permissions changed dynamically.
Comments
Post a Comment