ASP.NET MVC security: how to check if a controller method is allowed to execute under current user's perrmissions

Question

Given an ASP.NET MVC Controller class declaration:

public class ItemController : Controller
{
    public ActionResult Index()
    {
       // ...
    }

    public ActionResult Details()
    {
       // ...
    }

    [Authorize(Roles="Admin, Editor")]
    public ActionResult Edit()
    {
       // ...
    } 

    [Authorize(Roles="Admin")]
    public ActionResult Delete()
    {
      // ..
    }
}

I need to reflect a list of methods in this class which may be invoked with the current user's permissions.

Please share some ideas of what could be done in this case.

Answer 1

Well for the new question think something along the lines of:

new ReflectedControllerDescriptor(typeof(ItemController)).GetCanonicalActions()

could be used to return the list of all available actions. I don't have ASP.NET MVC available to me at work, so I can't really check to see if the ActionDescriptor's returned by that will contain some parameter which says which members are allowed to execute them.

http://msdn.microsoft.com/en-us/library/system.web.mvc.actiondescriptor_members%28v=VS.90%29.aspx

That is the members of the ActionDescriptor, you might be able to find something in there. I'll see tonight if I can figure it out, this has gotten me kind of intrigued.

---

There's no universal user login/authentication system for all applications, thus this really isn't possible to create a 'universal solution'. You could create your own user login and authorization classes which you then add your own annotations to methods to do, but its going to have the same restrictions that the asp.net mvc system has, its only for your login/authorization system (or whoever extends that system).