ASP.NET MVC authorization & permission to use model classes

Posted by Tomek on Stack Overflow See other posts from Stack Overflow or by Tomek
Published on 2010-05-20T09:50:22Z Indexed on 2010/05/20 10:00 UTC
Read the original article Hit count: 311

Filed under:

asp.net-mvc

|

authorization

Hi,

This is my first post here, so hello :) Okey, let's get to the point... I am writing my first app in ASP.NET MVC Framework and i have a problem with checking privileges to use instances of model classes (read, edit). Sample code looks like this:

// Controller action

[CustomAuthorize(Roles="Editor, Admin")]
public ActionResult Stats(int id)
{
    User user = userRepository.GetUser(id);

    if (user == null || !user.Activated || user.Removed)
        return View("NotFound");
    else if (!user.IsCurrentSessionUserOwned)
        return View("NotAuthorized");

    return View(user);
}

So far authorize attribute protects only controller actions, so my question is: how to make (custom) authorize attribute to check not only user role, usernames but also did i.e. resources instantiated in action methods (above: User class, but there are other ORM objects like News, Photos etc.) All of these object to check have their unique ID's, so user have own ID, News have their ID and UserID field referecned to Users table (i mean these objects are LINQ2SQL classes). How should i resolve that problem?

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Migrating ASP.NET MVC 1.0 applications to ASP.NET MVC 2 RTM

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Note: ASP.NET MVC 2 RTM isn’t yet released! But this tool will help you get your ASP.NET MVC 1.0 applications ready for when it is! I have updated the MVC App Converter to convert projects from ASP.NET MVC 1.0 to ASP.NET MVC 2 RTM. This should be last the last major change to the MVC App Converter… >>> More
ASP.NET MVC 3 Hosting :: New Features in ASP.NET MVC 3

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Razor View Engine The Razor view engine is a new view engine option for ASP.NET MVC that supports the Razor templating syntax. The Razor syntax is a streamlined approach to HTML templating designed with the goal of being a code driven minimalist templating approach that builds on existing C#, VB… >>> More
PathTooLongException after migrating from ASP.NET MVC 1 to ASP.NET MVC 2

as seen on Stack Overflow - Search for 'Stack Overflow'
I had updated my app from MVC 1 to MVC 2. After that some pages throws PathTooLongException: [PathTooLongException: The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.] … >>> More
Differece between Asp.net MVC 1 and Asp.net MVC 2

as seen on Stack Overflow - Search for 'Stack Overflow'
what is differece between Asp.net MVC 1 and Asp.net MVC 2? >>> More
Top 5 reasons for using ASP.NET MVC 2 rather than ASP.NET MVC 1

as seen on Stack Overflow - Search for 'Stack Overflow'
I've been using ASP.NET MVC 1 for a while now, and am keen to take advantage of the improvements in MVC 2. Things like validation seem greatly improved, and strongly-typed HTML helper methods look great. So, for those of you who have real-world practical experience of using ASP.NET MVC 1 and are… >>> More

Related posts about authorization

Apache2 - mod_rewrite : RequestHeader and environment variables

as seen on Server Fault - Search for 'Server Fault'
I try to get the value of the request parameter "authorization" and to store it in the header "Authorization" of the request. The first rewrite rule works fine. In the second rewrite rule the value of $2 does not seem to be stored in the environement variable. As a consequence the request header… >>> More
Apache2 - mod_rewrite : RequestHeader and environment variables

as seen on Server Fault - Search for 'Server Fault'
I try to get the value of the request parameter "authorization" and to store it in the header "Authorization" of the request. The first rewrite rule works fine. In the second rewrite rule the value of $2 does not seem to be stored in the environement variable. As a consequence the request header… >>> More
OAuth: Token-Based Authorization for the Social Networking Age

as seen on Internet.com - Search for 'Internet.com'
The OAuth token-based authorization system allows users to grant third-party access to their resources without sharing their usernames and passwords. It's perfect for the age of data scattered across many social networking sites. >>> More
OAuth: Token-Based Authorization for the Social Networking Age

as seen on Internet.com - Search for 'Internet.com'
The OAuth token-based authorization system allows users to grant third-party access to their resources without sharing their usernames and passwords. It's perfect for the age of data scattered across many social networking sites. >>> More
Implementing OAuth Authorization on Social Networks

as seen on Internet.com - Search for 'Internet.com'
Walk through all the necessary steps for implementing the OAuth token-based authorization system—a perfect security solution for the social networking age—on both the consumer and provider sides. >>> More