Access to Action Methods depending on Roles in ASP.NET MVC [duplicate]

Question

This question already has answers here:

ASP.NET MVC3 Role and Permission Management -> With Runtime Permission Assignment (4 answers)

Closed 8 years ago.

I know it is possible to annotate action methods to control access depending on roles like [Authorize(Roles = "Publisher")] but how can I achieve the same result if the access control information comes from database and can be changed anytime.

For example: Create action method can be accessed by Publisher but cannot be tomorrow because Admin disallowed Publisher to Create. This information will come from database and I have to somehow put appropriate annotation in runtime.

I hope I was able to convey my question properly. Any suggestion is appreciated.

Answer 1

Create action method can be accessed by Publisher but cannot be tomorrow because Admin disallowed Publisher to Create. This information will come from database and I have to somehow put appropriate annotation in runtime.

I wouldn't solve the problem the way you mentioned. Changing Authorize attribute from "Publisher" to something else at runtime is not a good solution. Instead what you can do is to manage users in Publisher Role (for example remove/add users to that role at runtime). What I mean is, let Publisher Role have access to Create Action, but on the SQL side, you manage users who come under publisher role. In that way, there is no need for you to change Authorize attribute at runtime.

To maintain your roles in a SQL Database and use them, you can go for Custom Role Provider.