Asp.Net MVC action based custom authorization

I have a web application written in asp.net mvc with fluent nhibernate.

Data hierarchy: Post -> Category -> Company

User roles : user, admin

I try to find a architecture to develop custom authorization. A user can be member of multiple company. Also a user can be an admin of a company while he can be also just member of another company.

Also we want develop a custom authorization based on controller, action or id of action. For example a user can be admin of just one category. Namely; in our future system there will be users, user groups in which users and groups开发者_如何学Go is belong to a company. While custom authorization will be applied to them based on url (contoller/action/id).

any recommendation, useful links etc?

This is a bit tricky actually - you may want to rethink the custom authorization and consider populating the roles in say Application_AuthenticateRequest, and then use the [Authorize] attribute to do the actual checks if the user belongs to those roles.This way you are applying it directly to the action method and avoiding a custom mess but achieving basically the same result.

we are having a similar discussion not yet resolved at: Questions about a Custom Security setup for MVC3 using overridden AuthorizeAttribute, thread safety, ChildActions and caching