My google skills are failing me on this. I'm looking for the "right way" to do data based entitlements in ASP.Net MVC (3).
With regular entitlements where one just need to know the user and the route can be done with the [Authorize] attribute, but this doesn't appear to work with data based entitlements b/c of the need to have a connection to the data store.
Is the obvious approach of inserting a check into the action methods the right way?
Is the obvious approach of inserting a check into the action methods the right way?
That's what I do.
if (!userHasAuthorization)
return view("Unauthorized");
It's by far the simplest way.
To make sure you only have to do "userHasAuthorization" once, you can put a method in your repository or service layer that checks for authorization, and use that in place of the boolean value userHasAuthorization.
Without knowing what "data based entitlements" are. I do believe that custom action filters will get you what you want. This lets you manage whatever you need around authorization with having the context of the route, user, etc. Gives more fine grained control. Also gives you the re usability so you dont need to plug if statements into your action methods.
AuthorizeAttribute to the database? It's something I've often wondered myself. The custom AuthorizeAttribute does not have access to your repository, but by the time you've already entered the Action Method, it is too late.
You could create a custom action filter derived from the [Authorize] attribute that uses the data store to check authorization.
IDBConnection ?