Data level Authorization filter in ASP.Net MVC Entity Framework application

StackOverflow https://stackoverflow.com/questions/13106487

Question

I was looking for a data level Authorization filter in my ASP.Net MVC 4 Application.
We are using Entity Framework for Data access.

The application need to display all the data but should restrict the access to certain fields in a table based on the user roles.

eg: TASK table { int Id, string TaskName, DateTime StartDate, DateTime EndDate }

This whole data will be displayed to all the users and users have the options to edit the fields also. But should restrict the edit options like as follows
Role Admin can edit all the fields
Role Manager can Edit TaskName but cannot edit StartDate and EndDate
Role Users cannot Edit any of the fields

All these edit will be calling the Edit action in the TaskController.

How can I implement the functionality in my application.

Was it helpful?

Solution

You might try Postsharp. PostSharp allows you to design custom attributes for injecting boilerplate code at compile-time. It should be possible to use it for scenarios such as your example. I've used it for exception handling, logging, caching, & security. It can be applied to any layer or framework.

See, "Securing Fields and Properties" in the following illustrated example:

http://www.sharpcrafters.com/solutions/authorization

Hope it helps.

OTHER TIPS

This is not EF, another ORM, but might help to see how it can be done - full source code is here.

Autorization subsystem is explained here.

It does what you need - row-level, up-to-column granularity, role-based authorization.

Sounds like what you are after is a true 'business' object that is smart and contains authorization at the property level not just at the method level. I would suggest using CSLA.NET and create your business object model with smart objects. This gives you that feature as well as a bunch of others.

This whole data will be displayed to all the users and users have the options to edit the fields also. But should restrict the edit options

Instead of a single Edit action in Task controller

  1. create a specific action for each unique field set allowed to be edited

    • Edit(TaskName, StartDate, EndDate) for Admin
    • Edit(TaskName) for Manager
    • no Edit action for User, since ther are not allowed to change any fields

  2. use authorization per action

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top