Routing Business Branches: Granular access control in ASP.NET MVC

Posted by FreshCode on Stack Overflow See other posts from Stack Overflow or by FreshCode
Published on 2010-04-28T22:30:46Z Indexed on 2010/04/28 22:57 UTC
Read the original article Hit count: 316

Filed under:

asp.net-mvc

|

access-control

|

roles

|

asp.net-mvc-routing

How should ASP.NET MVC routes be structured to allow granular role-based access control to business branches?

Every business entity is related to a branch, either by itself or via its parent entities. Is there an elegant way to authorize actions based on user-roles for any number of branches?

1. {branch} in route?

{branch}/{controller}/{action}/{id}

Action:

[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    // Authorize will test if User has Technician role in branch context
    // ...
}

2. Retrieve branch from business entity?

{controller}/{action}/{id}

Action:

public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    if (!User.HasAccessTo("WidgetAction", obj.Branch))
        throw new HttpException(403, "No soup for you!"); // or redirect

    // ...
}

3. Or is there a better way?

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Migrating ASP.NET MVC 1.0 applications to ASP.NET MVC 2 RTM

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Note: ASP.NET MVC 2 RTM isn’t yet released! But this tool will help you get your ASP.NET MVC 1.0 applications ready for when it is! I have updated the MVC App Converter to convert projects from ASP.NET MVC 1.0 to ASP.NET MVC 2 RTM. This should be last the last major change to the MVC App Converter… >>> More
ASP.NET MVC 3 Hosting :: New Features in ASP.NET MVC 3

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Razor View Engine The Razor view engine is a new view engine option for ASP.NET MVC that supports the Razor templating syntax. The Razor syntax is a streamlined approach to HTML templating designed with the goal of being a code driven minimalist templating approach that builds on existing C#, VB… >>> More
PathTooLongException after migrating from ASP.NET MVC 1 to ASP.NET MVC 2

as seen on Stack Overflow - Search for 'Stack Overflow'
I had updated my app from MVC 1 to MVC 2. After that some pages throws PathTooLongException: [PathTooLongException: The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.] … >>> More
Differece between Asp.net MVC 1 and Asp.net MVC 2

as seen on Stack Overflow - Search for 'Stack Overflow'
what is differece between Asp.net MVC 1 and Asp.net MVC 2? >>> More
Top 5 reasons for using ASP.NET MVC 2 rather than ASP.NET MVC 1

as seen on Stack Overflow - Search for 'Stack Overflow'
I've been using ASP.NET MVC 1 for a while now, and am keen to take advantage of the improvements in MVC 2. Things like validation seem greatly improved, and strongly-typed HTML helper methods look great. So, for those of you who have real-world practical experience of using ASP.NET MVC 1 and are… >>> More

Related posts about access-control

LiteSpeed enable Access-Control-Allow-Origin (no response header on CORS request)

as seen on Server Fault - Search for 'Server Fault'
Seriously, I can't find a single page discussing this for litespeed. Using this format in the htaccess "Header set Access-Control-Allow-Origin http://aSite.com" (and https) sends the setting in the http response header, but I still get the "XMLHttpRequest cannot load https://aSite.com/aFile.php.… >>> More
DELETE method not working in Apache 2.4

as seen on Server Fault - Search for 'Server Fault'
I'm running Apache 2.4 locally and dealing with RESTful services authenticating through OAuth. GET, PUT and POST work fine but I can't get DELETE to work. I've tried installing WebDAV and mod_dav, overriding methods in .htaccess, tried Limits, force (enable) DELETE options in configuration and pretty… >>> More
CORS Fails on CloudFront Distribution with Nginx Origin

as seen on Server Fault - Search for 'Server Fault'
I have a CloudFront distribution set up with an Nginx server as the origin (a Media Temple DV server, to be specific). I enabled the Access-Control-Allow-Origin: * header so fonts will work in Firefox. However, Firefox throws a CORS error for fonts loaded from this CloudFront/Nginx distribution. I… >>> More
My MS Access control displays no text for appended items following an append query

as seen on Stack Overflow - Search for 'Stack Overflow'
The control in question is part of a datasheet-style subform that feeds off a multi-field combo-box. The control is bound to the first field of the combo box, an ID field which is hidden from view (column width set to zero). Consequently, the second field (Code) is displayed in the control when an… >>> More
ASP.NET and WIF: Showing custom profile username as User.Identity.Name

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
I am building ASP.NET MVC application that uses external services to authenticate users. For ASP.NET users are fully authenticated when they are redirected back from external service. In system they are logically authenticated when they have created user profiles. In this posting I will show you how… >>> More