ASP.NET User privileges
I have created an ASP.NET MVC-application with entity framwork. Due to customer demands I will have to implement 开发者_StackOverflowa privilege hierachy where different users should have/shouldnt have rights to list/view/edit different kind of objects. And in some cases we need to go even deeper to restrict users from editing a certain property on an object.
I have created a few roles, but they are more generic like a "SystemAdmin"-role, a "CustomerAdmin"-role e t c
To make theese more narrow privileges, is roles the day to go or is there something else I can use or should I create some kind of privileges on my own in the database?
Thans in advance.
What I would do, if I were you, is implement the Specification pattern. Here's the basics of the Specification pattern:
public interface ISpecification<T>
{
bool IsSatisfiedBy(T entity);
}
Once you do that, I would implement an ISpecification<IPrincipal>
to specify the logic of each role. Then you might create an Attribute that takes the specification that would control authorization for a certain action. Here's an example of how that might look:
public class AuthorizeWith : AuthorizeAttribute
{
public AuthorizeWith(Type specificationType)
{
Specification = Activator.CreateInstance(specificationType)
as ISpecification<IPrincipal>;
}
public ISpecification<IPrincipal> Specification { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return base.AuthorizeCore(httpContext) &&
Specification.IsSatisfiedBy(httpContext.User);
}
}
Hope that helps.
If you use the horribly named Authorization Manager / AzMan and the AzMan role provider, you can have extremely flexible roles (with nesting) and a simple tie-in to ASP.NET roles.
精彩评论