Defining different roles in my ASP.Net application

Question

I have a website that's sort of a Craiglist type app.

In my Database, should I create a table called UserRoles, and assign the UserRoleID as a Foreign Key to every user created? 1 for Admin(Complete Priveledges), 2 for Moderator, 3 for Normal User, etc.

Also, inside of my ASP.Net application, say I have a UserControl. Inside of that user controls method, should I ask if User.ID = "1" make a button X.Visible = True?

Say if the currently logged in user is an Admin, make a little red X appear so the Admin can easily delete a listing, etc.

Or is there a more established way to do this?

Answer 1

ASP.NET 2.0 introduced Membership. It makes maintaining users, roles, and profiles rather simple. I would recommend using the default SQL implementations.

Answer 2

Roughly speaking that is how you would do it.

You should probably take a look at .Net Membership as it already provides most of the leg work to get this done.

Also rather than writing user.RoleID == 1, all over the place consider writing some methods/properties to answer the question for you.

e.g.

if(myuser.IsAdmin)
{
  ....
}

or

if(myuser.HasRightsTo(Rights.DoX))
{
  ....
}

Answer 3

You have the right general idea of a roles provider there. Role providers give a user some level (or perhaps multiple levels) and then in your code you can validate the current user's level when displaying content and evaluating inputs.

If you are using your own system then what you have described above is a perfectly reasonable approach to authentication and authorization. However, if you are using the ASP.NET built-in MemberShipProvider and RoleProvider (which you probably should be!) then there are many tutorials on getting those up and running. Personally, I would recommend using an existing provider over reinventing the wheel, but that's just me. You'll find that the built in providers are very comprehensive and simple to use.