3

Our application is being migrated from WebForms to MVC. We have a different manner to handle with authorizations. A Database View is queried to verify an user authorization. This view returns, according to each user, all menu hierarchy. For example, if the User1 is trying to access a page named SecretList.aspx, a search is applied through the menu hierarchy (saved in HTTP Session after auth) to check the access authorization. If a menu item related with SecretList.aspx exists to that user, then the access is granted.

My question is, how to implement this approach in ASP.NET MVC 3?

I wouldn't like to put Attributes for each Controller Action and I've been read about Route Constraints and Custom Controller.

To Route Constraints, could I access the HTTP Session and retrieve my Menu Hierarchy for Authorization query?

To Custom Controller, which method should I consider overloading? Can I check authorization and redirect to another view, before Controller execute the complete Action code?

Any other better idea?

Improve this question
4
  • can you use the standard Role Provider or customize it? stackoverflow.com/questions/376655/… Commented Apr 25, 2012 at 2:20
  • I don't have access to Roles Data in my code. All roles and users relationships are inside the Database View. Commented Apr 25, 2012 at 2:41
  • So are they in the SQL Membership provider. Commented Apr 25, 2012 at 2:53
  • To grant permission, I query a View. For Example, select * from vw_UserMenuFunctionality where user = ID. Through this view, we create our Object and put it in HTTP Session after Login. This object is a hierarchy of menus the user has access. If the page to be accessed exists in the Object.MenuList<>, so the access is granted. All this is done to not allow direct access by the address. Commented Apr 25, 2012 at 3:10

2 Answers 2

Reset to default
2

I would use a custom Action Filter that is added globally to all actions, it would work very similarly to the built in Authorize Attribute. The action filter is run after routes have resolved and the controller is created (so anything passed to the controller must be constructable by any user) it can then check if the user can execute the action or if another ActionResult should be returned instead.

I would highly recommend looking at the MVC source (or using a tool like ILSpy) to view the code for the Authorize Attribute.

You could use a custom route constraint, but that would effectively mean the route doesn't exist for the user rather than they're not allowed access.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

yeah I know it's open source now, however you get a better browsing experience using ILSpy than you do from the web (go to definition, analysis usages etc)
1

If you don't want to apply Attributes to your actions and keep access logic away from the Controllers and Actions definition, you can build a global action filter.

    public class MenuAccessAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting (ActionExecutingContext filterContext)
        {
            var requestRoute = filterContext.RouteData.Route;

            var currentUser = WebWorker.CurrentUser; // Or wathever is your thing to get the current user from session

            if (currentUser != null && !MenuAccessService.UserHasAccessToRoute(currentUser, requestRoute))
            {
                filterContext.Result = new RedirectToRouteResult("MenuAccessDenied");
            }

            base.OnActionExecuting(filterContext);
        }
    }

Or something along these lines.

then, in global.asax Application_Start

        GlobalFilters.Filters.Add(new MenuAccessAttribute());

But, if i were you, i'd spend some time adapting my access logic with asp.net mvc Roles, implementing a custom RoleProvider and decorating my controllers and actions with the right Authorize attributes.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.