Reputation: 7158
Role Based Authorization with an Extra Twist
I'm looking to solve a problem I have with implementing role-based authorization of a project I'm working on. The project is in ASP.NET MVC 3.
The application authenticates users and these users have certain system-wide roles associated with them. This part I am fine with.
The problem arises with the concept of Projects, Teams and Team Roles within the application. For each Project that a manager creates, they can create a Team. This Team consists of other system users, who will assume Roles within the Team, but just for that Project.
So a user may have Role A in one project and may have Role B in another and Role C in another.
The biggest problem I face, is that at the moment the Action Method might have the signature (example code, not real code):
[Authorize(Roles = "SomeExampleSystemRole")]
public ActionResult DoSomeTask(Guid id)
{
// id is the project id.
}
In which case even if I coded up a custom attribute, I wouldn't know which Project (and subsequently which Team) the user was calling this task in relation to, not until I was inside the method and could access the 'id' argument.
So far I have thought of creating another class, but this still would have to sit within the Action Method, so that it knows the current Project id:
[Authorize(Roles = "SomeExampleSystemRole")]
public ActionResult DoSomeTask(Guid id)
{
// some code to get the current user identity.
// id is the project id.
TeamAuthorization auth = new TeamAuthorization(userIdentity, id);
bool authPassed = auth.DoesUserHaveTeamRole("RoleC");
}
However if the user doesn't have the system role that's required, they'll never get to the secondary authorization code inside the Action Method.
Does anyone have any ideas on how this sort of transient role problem can be elegantly solved? In addition, we're moving away from a heavily 'Session' based implementation and don't envisage a 'Session' based solution as being manageable.
I'm currently looking at whether the Team Roles are different from the System Roles, if so then the solution above may work in part.
Would it be possible using Attributes to be able to read the 'id' in the method's parameters?
Any suggestions would be greatly appreciated. Many thanks.
Edit:
I've had an extra thought that it might be best to simply apply a global Authorize attribute to ensure that users are authenticated, then role-up the system roles into the TeamAuthorization class, so that at least system and team roles can be joined into one super-set. This also might work in instances where the project or team id isn't passed into the method (or as obvious).
Upvotes: 1
Views: 236
Answers (1)
Reputation: 7172
In the Authorize attribute, you get the HttpContext. You could use something like this:
var routeData = new RouteCollection();
MvcApplication.RegisterRoutes(routeData);
var route = routeData.GetRouteData(httpContext);
MvcApplication is your global application class. This will bind up the routes, then parse the request to give you the route that has been called. You can then ask it for the Id parameter to perform the extra authorization on that.
Si
Upvotes: 1
Related Questions
- Implement Role Based Security in MVC 4
- Implementing role-based authorization using .NET MVC 5
- Custom Role based authentication
- Custom role based authorization (without membership)
- MVC Role Authorization
- Role based authorization in asp.net
- Asp.net MVC Role manager
- ASP.Net role based form authentication
- Role based authentication feed back to user in ASP.NET MVC
- asp.net mvc authorization using roles