开发者

Question regarding fine-grained authorization and MVC2

Background: Completely new to MVC2. Has C# experience, but limited web experience.

I need more fine grained access than simply assigning a Role to a user. The user may have the role at 0+ points in a tree.

/
  /Europe
    /England
    /France
  /USA

For example, a user might be moderator of all forums under "Europe" and have access to posting news in France.

The two example controllers have actions as these:

ForumController:

public ActionResult DeletePost(int id) { ... }

NewsController:

[HttpPost]
public ActionResult Post(int treeID, ...) { ... }

How should I approach this? From what I gather Membership+RoleProvider canno开发者_如何学Pythont do this level of fine-grained control. Previously I have written custom user/role/auth system which supported all this, but it was incompatible with "the standard" controls such as LoginView.

The goal would be to have roles allowing access like so:

NewsAdmin

  • Add news

  • Edit news

  • Delete news

NewsPoster

  • Add news

Therefore, the Post action of News controler should check: Does user have "Add news"-access where he is trying to post?

I would really like to somehow specify this using attributes, so the actual action code could be cleaner and just assume that the caller has appropirate access.

Hope the question makes sense, and I can get some pointers on where to read.

(Oh, and I'm sure this question has been answered in some variant before. I just can't seem to find it. I won't mind single-link replies, if you feel they might be helpful to read)


I think you're being too quick to dismiss the role provider. If a user had a role called NewsAdmin_Europe_AddNews that would pretty much answer the question, wouldn't it?

Once you've made your authentication scheme work with the role provider, you need to tie that into MVC. Subtype AuthorizeAttribute and override AuthorizeCore. Warning: Your code here must be thread-safe and re-entrant. Call base.AuthorizeCore and then test for the specific role based on the URI/query (you won't get route values since this can be served from cache, bypassing MVC altogether).

This is some work, but will be more secure in the end than trying to reinvent membership.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜