Asp.net Membership & Authentication

Question

I'm beginning to design the infrastructure of web application developed with ASP.NET MVC preview 2 as a learning experience. I have my own domain model and database schema I wish to use for authentication.

I want to perform a variant of role base authentication. However, I can't seem to wrap my head around how to do this.

I have a user that has access to a "Blog". How can I perform authorization where the user is in the expected role, but where the user belongs to the aforementioned "Blog"

Would a custom role provider be needed, or can should I perform the logic in a authorization attribute for the controller actions; querying the authenticated user's BlogId and performing the authorization logic there. I'm unaware of any built in way to currently do this, but if there is please correct me.

If possible, an example of a custom role provider, or authorize attribute that would provide this functionality would be great.

Thank you

Answer 1

It sounds like what you are wanting is the ability to have both a role and an ownership check. For example, a user may have the role of "author" but would also need to have an ownership relationship with a particular blog to actually be able to create or update blog entries. Using a standard role provider along with a custom authorization attribute that knows how to check for ownership -- essentially a particular foreign key relationship between the entity for the action and the current user entry in the DB -- seems to be a reasonable way to approach this.

You can find some sample code on my answer to this similar question.