Routing Business Branches: Granular access control in ASP.NET MVC

Posted by FreshCode on Stack Overflow See other posts from Stack Overflow or by FreshCode
Published on 2010-04-28T22:30:46Z Indexed on 2010/04/28 22:57 UTC
Read the original article Hit count: 341

How should ASP.NET MVC routes be structured to allow granular role-based access control to business branches?

Every business entity is related to a branch, either by itself or via its parent entities. Is there an elegant way to authorize actions based on user-roles for any number of branches?

1. {branch} in route?

{branch}/{controller}/{action}/{id}

Action:

[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    // Authorize will test if User has Technician role in branch context
    // ...
}

2. Retrieve branch from business entity?

{controller}/{action}/{id}

Action:

public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    if (!User.HasAccessTo("WidgetAction", obj.Branch))
        throw new HttpException(403, "No soup for you!"); // or redirect

    // ...
}

3. Or is there a better way?

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Related posts about access-control