Adding a company to users in ASP.NET MVC structure

Question

I've been reading about and playing with ASP.NET MVC lately, to figure out if it will be the new framework for an exisiting product.

The product consists of a multi-user website where the customers are created by me and added to their respective companies. Each user then has access to do some stuff, add data etc. in the scope of his own company.

How would I go about creating a structure like that in MVC? I basically want to be the "super-admin" that can create new users, add them to companies and control their rights. The regular users will also have different user roles (admin, user, guest) within their company.

I've got pretty much everything else set up (MVC and the Entity framework is awesome), but I just need this last layer of separation.

Any help is much appreciated.

Answer 1

There's really two pieces to this. The first is roles. Simply create a clear designation between roles for a company versus roles for the entire application, for example: "Admin", "CompanyAdmin", "CompanyUser", and "CompanyGuest". There, I literally mean "Company", not a placeholder for a specific company name. You should only have one set of roles applicable to all company users.

The second piece is a form of ownership authorization. Each user is assigned to a company, surely through a foreign key on your user entity. Your routes will contain some component that identifies the company being utilized, whether that be via a subdomain, or just part of the path, i.e. /FooInc/Bar/Baz. In your actions, you'll use this component to look up the company from your pesistence store and then compare that with the company the user is assigned to. If the two do not match, then you return a 403. Otherwise, you let the user proceed.

There's many ways that can be done. You could use an action filter, base controller, etc. That's largely up to you and the needs of your application. Regardless, ASP.NET MVC is very capable to handle such a thing.