views:

147

answers:

0

How should ASP.NET MVC routes be structured to allow granular role-based access control to business branches?

Every business entity is related to a branch, either by itself or via its parent entities. Is there an elegant way to authorize actions based on user-roles for any number of branches?

1. {branch} in route?

{branch}/{controller}/{action}/{id}

Action:

[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    // Authorize will test if User has Technician role in branch context
    // ...
}

2. Retrieve branch from business entity?

{controller}/{action}/{id}

Action:

public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    if (!User.HasAccessTo("WidgetAction", obj.Branch))
        throw new HttpException(403, "No soup for you!"); // or redirect

    // ...
}

3. Or is there a better way?