What is the best way to customize user authorization when basing user privilege on something other than specific accounts/roles?

Question

I'm trying to write an ASP.NET MVC application where user privilege is based upon points rather than by a hard-coded role per se. I've tried researching authorization and membership providers but all the information I find points back to role based authentication which isn't really part of my model.

While writing this question I'm wondering if I'm even researching the right things. Would this be a custom role-provider? Does such a thing exist? It suddenly occurs to me that having a custom role provider which checks the user's points to determine if they're in a particular role or not might be the simplest way to go but I have no idea of the keywords I need to use with relation to ASP.NET MVC to find the right information.

What is the best way to achieve this goal?

Answer 1

I would suggest that a custom authorize attribute that extends AuthorizeAttribute would be a better route. Your attribute would support the ability to do authorization based on Roles, User, or Points, with the former two being provided by the base class and the latter implemented in your custom attribute.

public class PointAuthorizeAttribute : AuthorizeAttribute
{
    public int PointsRequired { get; set; }

    protected override bool AuthorizeCore( HttpContextBase httpContext )
    {
         if (base.AuthorizeCore( httpContext ))
         {
             var name = httpContext.User.Identity.Name;
             using (var db = new SomeDataContext())
             {
                 var userPoints = db.Users
                                    .Where( u => u.UserName == name )
                                    .Select( u => u.Points )
                                    .SingleOrDefault();
             }
             return (userPoints >= PointsRequired);
         }
         return false;
    }
}

Used as

[PointAuthorize( PointsRequired = 50 )]
public ActionResult Comment( string comment )
{
}

You may want to customize it further so that failing a points requirement redirects to an error message rather than to the login page. In this case you'd have to override the OnAuthorization method as well and, perhaps, determine there if the user's point level is too small and then replace the result on the AuthorizationContext with your error view.