0
votes

I am a bit confused about role and rule with my application. My some users will be authorized edit data on my web site. For example I will create roles like this:

  • EDITOR
  • ADMIN
  • VIEWER

Asp.net mvc has an attribute named Authorize. I can specify roles for controller and actions .

    [Authorize]
    public class GeometryController : Controller
    {
        [Authorize(Roles = "VIEWER")]
        public ActionResult Get(string id)
        {
            return Content("OK.");
        }

        [HttpGet]
        [Authorize(Roles = "ADMIN, EDITOR")]
        public ActionResult Edit(string id)
        {           
           return Content("This operation is restricted for you.");   
        }
    }

But I have another role that some users can edit data by working area. For example

  • user1 can only edit Arizona data and view All zone data.
  • user2 can edit and delete Texas data.
1
Just extend the default Authorize attribute and include your logic - Vsevolod Goloviznin

1 Answers

1
votes

I've done something close to the following in my code.

public class CustomAuthorizeAttribute : AuthorizeAttribute
    {
        private readonly string _feature;
        private readonly string _permission;

        public BRTAuthorizeAttribute( string feature, string permission)
        {
            _feature = feature;
            _permission = permission;
        }

        protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            if (!base.IsAuthorized(actionContext))
            {
                return false;
            }

            if(// check access rights)
            {
                return true
            }
            return false;
        }
    }

Then decorate controllers with [CustomAuthorize("feature", "permission")] this should be what you need.