If you're not going to rely on membership or roles you could always write a custom implementation of the AuthorizeAttribute
that checks the user against the database.
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AdminOnlyAttribute : AuthorizeAttribute
{
public AdminOnlyAttribute()
{
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!User not in Admin table)
{
throw new UnauthorizedAccessException();
}
base.OnAuthorization(filterContext);
}
}
Or something of the sort. Then of course:
[AdminOnly]
public class AdminController : Controller
{
// ...
}