3

We have several projects (ASP.NET MVC) that will require a Role / User / Permissions security model. We want to keep this data in tables in our database. How to do your recommend we go about implementing this security model with our ASP.NET MVC projects? Use custom authroization attributes that will determine if a user is authorized by interacting with data model in our database?

Are there third party / open source options available?

Improve this question
2
  • Are you having problems with the built in Membership/Authorization providers? If they don't fit the bill, you can implement your own: msdn.microsoft.com/en-us/library/f1kyba5e.aspx Commented Feb 3, 2011 at 20:18
  • Does the built in providers handle permissions? For example an user may be a member of role "Guest" which has permissions "Read" and "Write". The built-in providers seem to work well when using roles to access certain folders, controllers, methods but I don't see anything that checks if they have a certain permission. I want to be able to write "If UserHasPermission("Delete")" which will automatically determine if their role has that permission. I'm also not sure how to add permissions using their administration tool. Commented Feb 3, 2011 at 21:23

3 Answers 3

Reset to default
2

If you are willing to use Entity Framework, there's an EF Membership provider for MVC. Here http://efmembership.codeplex.com/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The way i approached this is to reflect on controller actions, i still use the normal asp.net membership provider, but then have a actions table that stores all my controller/actions.

Secondly i created a base controller and added the authorize attribute on the base controller, i then override the authorization "event" and did a check there if a user has access to that specific action, i did the same with onactionexecuting.

Improve this answer

1 Comment

I know this is kinda late but do you think you can elaborate on your point. I'm looking for something that sounds very close to what you have just said.
0

I use Rhino Security for a complex MVC site and love it.

http://ayende.com/Blog/archive/2008/01/22/Rhino-Security-Overview-Part-I.aspx

Security calls end up looking like this:

     permissionBuilderService
                .Allow("/[Controller]", 1)
                .For("GAAdmins", 1)
                .OnEverything()
                .DefaultLevel()
                .Save();

authorizationRepository.AssociateUserWith(user, "GAAdmins"); 


if (authService.IsAllowed(user, "/[Controller]/[Action]"))
 ...;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.