Dynamic AuthorizeAttribute with databaseIAuditable and IArchivable Repository with Repository Pattern and...
how to modify custom status text color in UI component grid magento 2?
Conservation of Mass and Energy
Am I understanding this Storm King's Thunder map wrong?
Does "Until when" sound natural for native speakers?
Windows Server Datacenter Edition - Unlimited Virtual Machines
Is this Paypal Github SDK reference really a dangerous site?
Why is a very small peak with larger m/z not considered to be the molecular ion?
Does an unused member variable take up memory?
Are all players supposed to be able to see each others' character sheets?
I reported the illegal activity of my boss to his boss. My boss found out. Now I am being punished. What should I do?
Create chunks from an array
What will happen if my luggage gets delayed?
What can I do if someone tampers with my SSH public key?
Recommendation letter by significant other if you worked with them professionally?
Can I negotiate a patent idea for a raise, under French law?
Is it possible that a question has only two answers?
Why aren't there more Gauls like Obelix?
Does the US political system, in principle, allow for a no-party system?
Can I use a violin G string for D?
Why is there an extra space when I type "ls" in the Desktop directory?
How to resolve: Reviewer #1 says remove section X vs. Reviewer #2 says expand section X
How do we create new idioms and use them in a novel?
Is it safe to abruptly remove Arduino power?
Are small insurances worth it?
Dynamic AuthorizeAttribute with database
IAuditable and IArchivable Repository with Repository Pattern and UnitOfWorkWrapper class for the Rotten Tomatoes APIAbstract Pet classIn-memory cache implementation revisitedUnit of work + repository + service layer with dependency injectionPersisting database row ID between controller actions on a multi-step “create item” formConverting from binary to unaryMVC app to associate users with rolesWriting to a newly created file, with support for unit testingSupporting all closure options in WinForms MVC application
$begingroup$
I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.
I created a UserAccessPermission table:
public class UserAccessPermission
{
[Key]
public int UserAccessPermissionId { get; set; }
public string ActionMethod { get; set; }
public string Controller { get; set; }
public string Area { get; set; }
public bool HasAccess { get; set; }
[DisplayName("User ID")]
[ForeignKey("ApplicationUser")]
public string Id { get; set; }
[DisplayName("User")]
public virtual ApplicationUser ApplicationUser { get; set; }
}
and then link it to the User table:
public class ApplicationUser : IdentityUser
{
public ApplicationUser()
{
AccessPermissions = new HashSet<UserAccessPermission>();
}
some custome field
//*******************************************************************
public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }
}
so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:
public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute
{
private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool result = false;
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
//var rolesProvider = new RoleProvider();
var routeData = httpContext.Request.RequestContext.RouteData;
var controller = routeData.GetRequiredString("controller");
var action = routeData.GetRequiredString("action");
string area = null;
var userId = httpContext.User.Identity.GetUserId();
var _user = _userManager.FindById(userId);
if (routeData.DataTokens["area"] != null)
{
area = routeData.GetRequiredString("area");
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();
}
else
{
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();
}
if (result)
{
return true;
}
return false;
//return base.AuthorizeCore(httpContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?
c# entity-framework asp.net-mvc authorization asp.net-identity
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
asked May 18 '18 at 16:04
AminMAminM
667
$endgroup$
add a comment |
$begingroup$
I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.
I created a UserAccessPermission table:
public class UserAccessPermission
{
[Key]
public int UserAccessPermissionId { get; set; }
public string ActionMethod { get; set; }
public string Controller { get; set; }
public string Area { get; set; }
public bool HasAccess { get; set; }
[DisplayName("User ID")]
[ForeignKey("ApplicationUser")]
public string Id { get; set; }
[DisplayName("User")]
public virtual ApplicationUser ApplicationUser { get; set; }
}
and then link it to the User table:
public class ApplicationUser : IdentityUser
{
public ApplicationUser()
{
AccessPermissions = new HashSet<UserAccessPermission>();
}
some custome field
//*******************************************************************
public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }
}
so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:
public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute
{
private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool result = false;
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
//var rolesProvider = new RoleProvider();
var routeData = httpContext.Request.RequestContext.RouteData;
var controller = routeData.GetRequiredString("controller");
var action = routeData.GetRequiredString("action");
string area = null;
var userId = httpContext.User.Identity.GetUserId();
var _user = _userManager.FindById(userId);
if (routeData.DataTokens["area"] != null)
{
area = routeData.GetRequiredString("area");
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();
}
else
{
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();
}
if (result)
{
return true;
}
return false;
//return base.AuthorizeCore(httpContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?
c# entity-framework asp.net-mvc authorization asp.net-identity
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
asked May 18 '18 at 16:04
AminMAminM
667
$endgroup$
$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33
$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35
$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58
$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56
$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47
add a comment |
$begingroup$
I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.
I created a UserAccessPermission table:
public class UserAccessPermission
{
[Key]
public int UserAccessPermissionId { get; set; }
public string ActionMethod { get; set; }
public string Controller { get; set; }
public string Area { get; set; }
public bool HasAccess { get; set; }
[DisplayName("User ID")]
[ForeignKey("ApplicationUser")]
public string Id { get; set; }
[DisplayName("User")]
public virtual ApplicationUser ApplicationUser { get; set; }
}
and then link it to the User table:
public class ApplicationUser : IdentityUser
{
public ApplicationUser()
{
AccessPermissions = new HashSet<UserAccessPermission>();
}
some custome field
//*******************************************************************
public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }
}
so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:
public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute
{
private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool result = false;
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
//var rolesProvider = new RoleProvider();
var routeData = httpContext.Request.RequestContext.RouteData;
var controller = routeData.GetRequiredString("controller");
var action = routeData.GetRequiredString("action");
string area = null;
var userId = httpContext.User.Identity.GetUserId();
var _user = _userManager.FindById(userId);
if (routeData.DataTokens["area"] != null)
{
area = routeData.GetRequiredString("area");
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();
}
else
{
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();
}
if (result)
{
return true;
}
return false;
//return base.AuthorizeCore(httpContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?
c# entity-framework asp.net-mvc authorization asp.net-identity
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
asked May 18 '18 at 16:04
AminMAminM
667
$endgroup$
I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.
I created a UserAccessPermission table:
public class UserAccessPermission
{
[Key]
public int UserAccessPermissionId { get; set; }
public string ActionMethod { get; set; }
public string Controller { get; set; }
public string Area { get; set; }
public bool HasAccess { get; set; }
[DisplayName("User ID")]
[ForeignKey("ApplicationUser")]
public string Id { get; set; }
[DisplayName("User")]
public virtual ApplicationUser ApplicationUser { get; set; }
}
and then link it to the User table:
public class ApplicationUser : IdentityUser
{
public ApplicationUser()
{
AccessPermissions = new HashSet<UserAccessPermission>();
}
some custome field
//*******************************************************************
public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }
}
so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:
public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute
{
private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool result = false;
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
//var rolesProvider = new RoleProvider();
var routeData = httpContext.Request.RequestContext.RouteData;
var controller = routeData.GetRequiredString("controller");
var action = routeData.GetRequiredString("action");
string area = null;
var userId = httpContext.User.Identity.GetUserId();
var _user = _userManager.FindById(userId);
if (routeData.DataTokens["area"] != null)
{
area = routeData.GetRequiredString("area");
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();
}
else
{
result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();
}
if (result)
{
return true;
}
return false;
//return base.AuthorizeCore(httpContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?
c# entity-framework asp.net-mvc authorization asp.net-identity
c# entity-framework asp.net-mvc authorization asp.net-identity
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
asked May 18 '18 at 16:04
AminMAminM
667
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
asked May 18 '18 at 16:04
AminMAminM
667
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
edited May 20 '18 at 19:15
Jamal♦
30.4k11120227
30.4k11120227
asked May 18 '18 at 16:04
AminMAminM
667
asked May 18 '18 at 16:04
AminMAminM
667
asked May 18 '18 at 16:04
AminMAminM
667
667
$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33
$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35
$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58
$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56
$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47
add a comment |
$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33
$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35
$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58
$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56
$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47
$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33
$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33
$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35
$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35
$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58
$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58
$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56
$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56
$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47
$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
Yes.
You are close, man!
You have to make relashionships between pairs of controller+action to some user actions.
For example:
Security Staff can only view Personal Info:
- View Personal
Then your HHRR Manager can:
- View Personal
- Add Personal
- Edit Personal
And finally HHRR Director he can do more actions like:
- View Personal
- Add Personal
- Edit Personal
- Delete Personl
And now in game you should include some extra tables, bro! hehehehehehe
Lets say your system has HHRR module.
Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like
- HHRR Director
- HHRR Manager
- Security Staff
Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.
And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
where you keep relashionships between controller methods and those "roles".
This approach allows use
1) Ignore methods that are not described in WebSiteAccessModuleActions
2) Build very flexible ACL subsystem.
Enjoy, dude!
P.S. Include Area columnto the WebSiteAccessModuleActions if you have
identical controller in several website's areas.
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
});
});
}, "mathjax-editing");
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "196"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194707%2fdynamic-authorizeattribute-with-database%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Yes.
You are close, man!
You have to make relashionships between pairs of controller+action to some user actions.
For example:
Security Staff can only view Personal Info:
- View Personal
Then your HHRR Manager can:
- View Personal
- Add Personal
- Edit Personal
And finally HHRR Director he can do more actions like:
- View Personal
- Add Personal
- Edit Personal
- Delete Personl
And now in game you should include some extra tables, bro! hehehehehehe
Lets say your system has HHRR module.
Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like
- HHRR Director
- HHRR Manager
- Security Staff
Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.
And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
where you keep relashionships between controller methods and those "roles".
This approach allows use
1) Ignore methods that are not described in WebSiteAccessModuleActions
2) Build very flexible ACL subsystem.
Enjoy, dude!
P.S. Include Area columnto the WebSiteAccessModuleActions if you have
identical controller in several website's areas.
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
Yes.
You are close, man!
You have to make relashionships between pairs of controller+action to some user actions.
For example:
Security Staff can only view Personal Info:
- View Personal
Then your HHRR Manager can:
- View Personal
- Add Personal
- Edit Personal
And finally HHRR Director he can do more actions like:
- View Personal
- Add Personal
- Edit Personal
- Delete Personl
And now in game you should include some extra tables, bro! hehehehehehe
Lets say your system has HHRR module.
Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like
- HHRR Director
- HHRR Manager
- Security Staff
Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.
And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
where you keep relashionships between controller methods and those "roles".
This approach allows use
1) Ignore methods that are not described in WebSiteAccessModuleActions
2) Build very flexible ACL subsystem.
Enjoy, dude!
P.S. Include Area columnto the WebSiteAccessModuleActions if you have
identical controller in several website's areas.
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
Yes.
You are close, man!
You have to make relashionships between pairs of controller+action to some user actions.
For example:
Security Staff can only view Personal Info:
- View Personal
Then your HHRR Manager can:
- View Personal
- Add Personal
- Edit Personal
And finally HHRR Director he can do more actions like:
- View Personal
- Add Personal
- Edit Personal
- Delete Personl
And now in game you should include some extra tables, bro! hehehehehehe
Lets say your system has HHRR module.
Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like
- HHRR Director
- HHRR Manager
- Security Staff
Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.
And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
where you keep relashionships between controller methods and those "roles".
This approach allows use
1) Ignore methods that are not described in WebSiteAccessModuleActions
2) Build very flexible ACL subsystem.
Enjoy, dude!
P.S. Include Area columnto the WebSiteAccessModuleActions if you have
identical controller in several website's areas.
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
Yes.
You are close, man!
You have to make relashionships between pairs of controller+action to some user actions.
For example:
Security Staff can only view Personal Info:
- View Personal
Then your HHRR Manager can:
- View Personal
- Add Personal
- Edit Personal
And finally HHRR Director he can do more actions like:
- View Personal
- Add Personal
- Edit Personal
- Delete Personl
And now in game you should include some extra tables, bro! hehehehehehe
Lets say your system has HHRR module.
Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like
- HHRR Director
- HHRR Manager
- Security Staff
Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.
And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
where you keep relashionships between controller methods and those "roles".
This approach allows use
1) Ignore methods that are not described in WebSiteAccessModuleActions
2) Build very flexible ACL subsystem.
Enjoy, dude!
P.S. Include Area columnto the WebSiteAccessModuleActions if you have
identical controller in several website's areas.
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
answered 6 mins ago
Academy of ProgrammerAcademy of Programmer
1012
1012
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Code Review Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194707%2fdynamic-authorizeattribute-with-database%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33
$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35
$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58
$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56
$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47