How do you restrict access to a certain user using ASP.NET MVC?

Question

So let's say I have an eBay-type application where only the seller can edit his/her listing. How do I go about restricting access to the Edit action based on the Id of the item we're editing and the currently logged in user?

As far as I can tell, the Authorize attribute only allows you to restrict access to controller actions based on whether the user is authenticated or not and their role. Is this simply something that I need to handle manually within the controller?

Answer 1

A custom attribute deriving from IAuthorizeFilter.

Answer 2

This looks like a pretty good example of controlling actions based on users and roles. http://www.coderjournal.com/2008/03/securing-mvc-controller-actions/

I'm brand-spanking new at MVC though, so I could be wrong. Check it out and let us know if it helped.