ASP.NET MVC 4 Provide different privileges for users on different pages

StackOverflow https://stackoverflow.com/questions/20097235

Question

Let's say I have a ASP.NET MVC 4 application. I need to provide different privileges on different pages for same users. For example, The same user could be an administrator on one page and a guest on another. MVC by default provides system wide user privileges. I dug up some information that I should use custom membership providers to achieve my goal, but am not yet sure about this. Can someone suggest a solution?

The roles should behave the same on the same type of pages. Let's say that a topic's content, on a forum, could be edited only by the person who created it or by a moderator. Yet the user will not be able to edit someone else's topic and the moderator will not be able to edit a topic that is not a part of his topic subject group. The role system in my application should behave similarly.

Was it helpful?

Solution

You don't necessarily have to create a custom membership provider, but you are going to have to think about permissions differently.

To start, replace the word "Role" with "Operation" in your head.

You need to create atomic, fine grained permissions in your application such as:

  • UserPropertiesView
  • UserPropertiesModify
  • CreateUser
  • DeleteUser
  • RolesView
  • RolesModify
  • CreateRole
  • DeleteRole

It might be difficult at first, but this gives you great control and flexibility over assigning operations to individual users. Since different pages will have different operations, you will be able to customize their access.

Unfortunately, the out of the box ASP.Net membership and role providers all work off the concept of a course grained Role. So long as you know they are Operations, and not roles, you will be good.

Abstractions are your friend here:

public static class Permissions
{
   public static bool Operation(string op)
   {
      //this class can be a lot better
      // it can be testable, and check
      // error conditions, but this is
      // only an example :)
      return HttpContext.Current.User.IsInRole(op);
   }
}

Somewhere you will want to group all these operations up into Roles, but that will require some custom programming on your part.

Custom Providers really aren't that scary, and you can extend the built in ones easily.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top