Restrict access to a certain action based on ID

Question

Hi,

Say that you have a controller named Buildings and that every user in the system have a set of buildings that he/she administrates. If you have an Edit-action in your controller that you can access with /Buildings/Edit/{id} is there a nice and simple way to implement some kind of authorization attribute that only allows access to this site if the id you are trying to edit is a part of the logged in users set of buildings. Or do you have to handle this yourself in your controller?

regards Freddy

Answer 1

• You can use ActionFilterAttribute.
• Check out this SO too
• Check this post: asp.net mvc attributes actionfilterattribute and why you might want to use them

Answer 2

Sure you can, you can derive from the Authorize attribute to define your own authorization for an action method. There's an example of using it in this blog post.