ASP.NET MVC authorization & permission to use model classes
Posted
by Tomek
on Stack Overflow
See other posts from Stack Overflow
or by Tomek
Published on 2010-05-20T09:50:22Z
Indexed on
2010/05/20
10:00 UTC
Read the original article
Hit count: 335
asp.net-mvc
|authorization
Hi,
This is my first post here, so hello :) Okey, let's get to the point... I am writing my first app in ASP.NET MVC Framework and i have a problem with checking privileges to use instances of model classes (read, edit). Sample code looks like this:
// Controller action
[CustomAuthorize(Roles="Editor, Admin")]
public ActionResult Stats(int id)
{
User user = userRepository.GetUser(id);
if (user == null || !user.Activated || user.Removed)
return View("NotFound");
else if (!user.IsCurrentSessionUserOwned)
return View("NotAuthorized");
return View(user);
}
So far authorize attribute protects only controller actions, so my question is: how to make (custom) authorize attribute to check not only user role, usernames but also did i.e. resources instantiated in action methods (above: User class, but there are other ORM objects like News, Photos etc.) All of these object to check have their unique ID's, so user have own ID, News have their ID and UserID field referecned to Users table (i mean these objects are LINQ2SQL classes). How should i resolve that problem?
© Stack Overflow or respective owner