How should ASP.NET MVC routes be structured to allow granular role-based access control to business branches?
Every business entity is related to a branch, either by itself or via its parent entities. Is there an elegant way to authorize actions based on user-roles for any number of branches?
1. {branch} in route?
{branch}/{controller}/{action}/{id}
Action:
[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
// Authorize will test if User has Technician role in branch context
// ...
}
2. Retrieve branch from business entity?
{controller}/{action}/{id}
Action:
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
if (!User.HasAccessTo("WidgetAction", obj.Branch))
throw new HttpException(403, "No soup for you!"); // or redirect
// ...
}