views:

31

answers:

1

I can do authorization easily on the controller actions using the Authorization attribute. But how do I render views as easily as using Authorization attribute?

For example, if I have a menu and the user is unauthorized for certain menus, how would I hide those menu items?

Let's say I have a page that renders a table with add/edit/delete links. I have controller actions that correspond to those links and so the unauthorized user cannot perform those actions. But I'd like to go further by hiding them altogether.

What I have now is a spaghetti of a mess that checks for user permissions in the view - whole bunch of <% if (user.hasPermission(..) { %> ... <% } %>. It's unruly.

What strategies are there to mitigate this mess? Certainly I can't be the first one to have run into this dilemma.

A: 

I think a "security trimming" ActionLink helper would solve your problem nicely:

http://stackoverflow.com/questions/2721869/security-aware-action-link/2722026#2722026

jfar
That's nice but it only works for a single link. I'm really looking for a way to filter in or out a block of code, or a block of markup. I know <% if (condition) { %>...<% } %> effectively does this but I feel as if it's inadequate. Perhaps it's a different view engine that I need
Jiho Han