Is it bad practice for a controllers actions to have differing authorization levels?
https://stackoverflow.com/questions/10410168
-
05-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We are developing a website and we have a controller that handles CRUD for a model e.g Country. Only the Administrator is allowed to perform CRUD operations. However we also want the controller to provide a JSON select list of entities to populate a drop-down. This pattern exists through out the application.
This means that we can't use the standard authorization attribute to restrict access to administrators at the entry to the controller. We need to decorate each action with specific authorize attribute.
Is the fact that we need multiple authorization levels on a single controller a bad sign? Does it suggest we are violating SRP?
What is the best pattern to deal with the fact many controllers relate to entities that need to be updatable only by Admin but provide a JSON select list for all authorized users?
Thanks
Solution
The only problem with doing this is the Risk that you might forget to protect an action that is supposed to be admin only.
Really the preferred way to approach this problem is to have an admin-only area on your site (using MVC areas).
http://msdn.microsoft.com/en-us/library/ee671793.aspx
This way the entire www.site.com/admin section would be protected as admin-only.
