Authorization on data access in .net MVC

Question

I have an application with two entities:

public class Employer {
    public string Title {get;set;}
    public virtual ICollection<Application> Applications {get;set;} 
}

public class Application {
    public string Title {get;set;}
}

I want to give users access to specific employers (an employers can have multiple users), so they can submit applications for their employers. This also includes a view of "your" employers. To solve this, I have thought of the following two possibilities:

1. When an employer is created, a corresponding role is also created. Users can then be added to this role, and I will write some custom logic to check if the user is in the corresponding role. The hard part here is that it seems difficult to connect the role with the employer in any safe manner (without writing my own role provider)

2. Add a property such as Collection of Users to the Employer class, and check if the current signed in user is in this collection to decide if the user has access.

Are these good solutions, or are there any better ways to solve my problem?

Answer 1

This is a problem with the DAO (data access object), today there is no automatically way to do this using entity framework (standard of mvc 5 and asp.net identity).

Some suggestions:

1) Its easy create or override and use the "RoleManager" and "UserManager" with your own rules.

2) You can encapsulate the data access, using something like a proxy or a wrapper to get the data from entity framework

The only thing you definitely will not be able to overcome (if you want to use) is the "custom mapping", I mean... The collection property of Employer always will load the data based on mapping configuration, and the mapping configuration it is a little bit limited (is not support a custom clauses, like a where in the relation).

Answer 2

I wouldn't use roles for this. Roles are typically used to control access to functionality, not typically subsets of data (although there are exceptions).

Now, you may run into issues where you have employees that employed by more than one company and they have different permissions for each company. In that case, the default role provider is inadequate for that job.

If, however, users all have the same functionality, but they just have access to different subsets of data, then the solution is to filter your data based on company. For instance, The company entity would have an Employees collection. Any other data would be tied to the company. Then, when you display or edit data, you make sure to query with conditions that the data belongs to the company of the current user. In general, it's best to do this in the sql (or ef) query itself rather than in code in your app.