ansaurus

Question

Answer 1

+1 A:

Set up your methods for retrieving data from your database repository in such a way that you can pass the UserID of the currently logged in person as a parameter. You can then use a permissions table to filter the data to only that data for which the user has access.

The permissions table would have two fields: UserID and ContentID. Once this is set up, it's fairly straightforward to set up CRUD screens so that someone with administrative privileges can set content permissions.

Robert Harvey 2009-11-26 00:34:35

Good suggestion. Re: permissions table, what would ContentID be? Lets say I have Orders, OrderItems, SalesSlips, etc... many entities. What would contentId be? and how would I know what that ID maps too?

zzz 2009-11-26 00:49:27

In that case, you need another field in the permissions table that is a TableID. It would also be good to have a table containing the table names and table IDs.

Robert Harvey 2009-11-26 01:52:14

Or, you can just move up to an entity that the user does have access to, that incorporates the records in question. For example, if the salesperson has access to a specific order, he also has access to all of the OrderItems on that order.

Robert Harvey 2009-11-26 02:00:44

Answer 2

A:

I use IPrincipal and Authorize(Roles='...') attribute to limit access to actions. IPrincipal is then injected into service layer and user IIdentity is used to filter data.

Example: Users create tasks. Every user can see his tasks. GetTask(int taskId) method first filters by CreatedBy field using identifier from IIdentity and then takes task with specified id. If user doesn't have access to data, method will not return any rows.

LukLed 2009-11-26 00:51:41

Answer 3

+1 A:

The problem I see with this, is that this will be application wide,

Then you need common service that handles it. Suprisingly, I would call it IAuthorisationService.

and I am looking for best practices on how to approach this. Should I be looking at CustomControllers? Filters? or what?

Whichever way you choose you should use common IAuthorisationService above.
From my experience I can tell that it is easier to inject the service into controller and use it on every action:

/* Interfaces */
public interface IAuthorisationService {
 bool CanEdit(YourItem item);
}

public interface ICurrentUserProvider {
 YourUserEntity GetCurrentUser();
}

/* Implementations */
public class HttpUserProvider : ICurrentUserProvider {
 public YourUserEntity GetCurrentUser() {
  return HttpContext.Current.User.Principal as YourUserEntity;
 }
}

public calss RolesAuthorisationService : IAuthorisationService {
 ICurrentUserProvider userProvider
 public RolesAuthorisationService(ICurrentUserProvider userProvider) {
  this.userProvider = userProvider;
 }

 public bool CanEdit(YourItem item) {
  var u = userProvider.GetCurrentUser();
  if (u == null)
   return false;
  return item.Owner == u && u.IsInRole("EditYourItem");
 }
}

/* Controller */

public class MyController: Controller {
 IAuthorisationService authorisation;

 public MyController(IAuthorisationService authorisation) {
  this.authorisation = authorisation;
 }

 public ActionResult Edit(int id) {
  var item = GetTheItembyIdSomehow();
  if (!authorisation.CanEdit(item))
   return new HttpUnauthorizedResult();

  // Can do this
 }
}

Then you can use ControllerFactory to inject the required dependencies automatically into the controllers:

class DependencyInjectionContainer : WindsorContainer {
    public DependencyInjectionContainer() {
        RegisterDependencies();
    }

    private void RegisterDependencies() {

        // Services
        Register(
            AllTypes.Of<IDiscoverableService>()
                .FromAssembly(typeof(IDiscoverableService).Assembly)
                .Configure(c => c.LifeStyle.Transient)
                .WithService.FromInterface()
            );

        // Controllers
  Register(
   AllTypes.Of<IController>()
    .FromAssembly(typeof(DependencyInjectionContainer).Assembly)
    .Configure(c => c.LifeStyle.Transient)
   );
    }
}

class WindsorControllerFactory : DefaultControllerFactory, IDisposable {
    private readonly IWindsorContainer container;

    public WindsorControllerFactory() {
        container = new DependencyInjectionContainer();
    }

    protected override IController GetControllerInstance(Type controllerType) {
        if (controllerType == null)
            return base.GetControllerInstance(controllerType);
        return (IController) container.Resolve(controllerType);
    }

    public void Dispose() {
        container.Dispose();
    }
}

Dmytrii Nagirniak 2009-11-26 00:57:57

Looking at your code, it appears that you are only specifying roles such as "edit," and not permissions for specific items.

Robert Harvey 2009-11-26 01:54:43

Ohh. Yes. Sorry. I'll update it.

Dmytrii Nagirniak 2009-11-26 02:03:15

ansaurus

tags:

views:

answers:

MVC Protecting User Based Data Security

related questions