0

I’m working on a project where there are different three user types (Admin, Parent, and Teacher) that access the website. The users log in by providing their credentials and selecting their type as shown the image below

Login Form

I wanted to provide a custom authentication and authorization for the users. By using the methods in this tutorial, I extended MemberShipProvider class for each user type and overrode the ValidateUser method and ended up with three classes named AdminAuthProvider, ParentAuthProvider and TeacherAuthProvider. Here is the code in the ValidateUser method in AdminAuthProvider

public override bool ValidateUser(string username, string password)
    {
        if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
        {
            return false;
        }

        using (var db = new pscsEntities())
        {
            return db.Admins.Any(admin => admin.username.Equals(username) && admin.password.Equals(password));
        }
    }

The code for ValidateUser in the other two classes is the same. My Questions are - Is there a better way of doing the authentication in a single class rather than three classes which extend the same classes? - How can I provide authorization roles in this scenario? For the second question, the above tutorial suggests extending the RoleProvider class and overriding its methods. What I can’t seem to figure out how to override the GetRolesForUser method as it only takes a single string parameter which is the username of the currently logged in user. I’m a bit confused here. If it helps here is the table diagrams for the three users in the database Table diagrams

Improve this question

1 Answer 1

Reset to default
3

Your solution seems to conflate two related but distinct functions: authentication and authorization.

Authentication tells you who the user is. Authorization normally occurs after authentication and tells you what the user can do, typically expressed as a list of one or more roles. Under this traditional model, you would have a single table for all three types of users and only one means of authenticating them. Once authenticated, the database will tell you what kind of roles the user has (teacher, student, or admin). Based on the roles, the web site would expose different feature sets.

Under your model, the expression of the user's roles is wound up in the authentication process. Indeed, the user himself tells you his roles as part of the authentication process. This is unusual design and is brittle for a number of reasons. For example, imagine a new type of user role (for example "teacher's assistant.") Given your current design you'd have to add a fourth DB table and domain object management functions for the new table, as well as a fourth wrapper class for the authentication code. Your design also precludes users who have more than one role (what if I'm both an admin and a teacher?)

I would suggest you revisit this design and allow the user to provide only user name and password and allow the system to determine if he is a student, teacher, or admin, or some combination of these. With this design you would need only one authentication class and GetRolesForUser would make a lot more sense.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

If I understood you correctly, you're suggesting that I should merge the three tables into one Users table and do both the authentication and authorization from there. The reason I didn't do that before is because I need the separate tables for use in other tables. For example, the Parents table has a foreign key r/nship with a Student table. I'm afraid such kind of relations will be lost once I merge the tables. Or that could be a wrong assumption. How do you propose I merge the tables with out losing their roles in the database?
Hmmm now you're asking DB design questions! One potential design is to have 1 table "Users" (PK = UserID), a second table "Roles" (with a M:1 relationship to Users) and a third table for UserRelationships (three columns; ParentID (FK to UserID), RelationshipType, and ChildID (FK to a different UserID)).
In system, the users aren't related to each other but to students who can't use the system, we just need their data in a table. In other words, we're are labeling the users of the system as teacher or parents according to their relations with a student. Hence, I think the third table won't work accurately in my design. So how should I improve on that table?
I guess I am confused as to why there is a student radio button on the logon page.
I'm really sorry, it's by mistake. I have now corrected the login form. It should be a parent option other than a student. To give you a bit of detail, I'm working on Parent-School communication system. But I can't seem to get past of the part where the system has to recognize users' roles instead of them telling it. I'm especially caught up in the database design of the Users table.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.