Hi,
This is my first post here, so hello :) Okay, let's get to the point... I am writing my first app in ASP.NET MVC Framework and i have a problem with checking privileges to use instances of model classes (read, edit). Sample code looks like this:
// Controller action
[CustomAuthorize(Roles="Editor, Admin")]
public ActionResult Stats(int id)
{
User user = userRepository.GetUser(id);
if (user == null || !user.Activated || user.Removed)
return View("NotFound");
else if (!user.IsCurrentSessionUserOwned)
return View("NotAuthorized");
return View(user);
}
So far authorize attribute protects only controller actions, so my question is: how to make CustomAuthorize attribute to check not only user role, usernames but also did i.e. resources instantiated in action methods (above: User class, but there are other ORM LINQ2SQL classes like News, Photos etc.) All of these object to check have their unique ID's, so user entity have own ID, News have their ID's and UserID field referecned to Users table. How should i resolve that problem?