1

In my MVC5 project, admin can create lessons in a control panel and the lessons are stored in the database (currently there is only 2 lessons for now). On the other hand, I can create some roles for these lessons i.e. CanCreateMathHomework, CanCreateChemistryHomework so that only the teachers of the related lesson can publish homework for the related lesson by using ASP.NET Identity. Until now everything works perfectly and the teachers can publish homework of their lesson.

LessonController: 

[Authorize(Roles = "CanCreateMathHomework")]
public ActionResult CreateMathHw()
{
    //code omitted for brevity
}


[Authorize(Roles = "CanCreateChemistryHomework")]
public ActionResult CreateChemistryHw()
{
    //code omitted for brevity
}

However, I want to create a flexible permission mechanism that let the teachers of the newly created lessons to publish their homeworks without creating the new roles in the database or new Actions in the Controller. What I want to perform is that:

1) Admin will continue to create new lessons and teacher of the lesson then keep them in the database as ever before.

2) Admin give the permission to the teacher of newly created lesson so that he or she will be able to publish hw of his or her lesson as the other teachers.

3) There would be no need to create new Action methods in the Controller and everything should be done without needing the software developer.

But how? Is it possible? If so, can a global role and Action method be used in order to perform this? I am really very confused and any helps would be appreciated. Thanks.

Improve this question

1 Answer 1

Reset to default
1

Unfortunately Authorize does not work in the way you are describing.

The aspnet identity database however (assuming you have one) will handle creating tables for users, roles, and other such interesting auth info so all you need to do is create joins between those aspnet tables and your "xhomework" tables to link up roles / users to items in other tables.

You can then create a new attribute by deriving from either the existing Authorize attribute or its parents (see here for more details: https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx)

...

This will give you a "filter" that gets applied to the request before the Action is executed allowing you to refuse on your own security terms, by overriding OnAuthorization (see here: https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.onauthorization(v=vs.118).aspx#M:System.Web.Mvc.AuthorizeAttribute.OnAuthorization(System.Web.Mvc.AuthorizationContext))

... from there you simply need a UI to manage the new join tables.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for explanations. Vote+
you should mark this as the answer to your question if it helps you resolve your issue
Yes, you are right. But my problem has not been solved and that is why I did not mark it as answer. Sorry :(

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.