views:

403

answers:

2

I have an ASP.Net Web Forms application in which I'm using forms-based authentication with Membership and Role providers, which is fine for authenticating and controlling access to directories and/or files. Now I find myself needing to control read, write and delete access on individual entity instances, for example being able to update or delete an instance of a customer. I've been trying to think of a good way to implement this but I don't really know where to start. I read about the Authorize attribute in ASP.Net MVC and thought it would be nice to have something analogous--decorating methods the way you can controller actions in ASP.Net MVC. I don't know of any out of the box way to accomplish this in the Web Forms world though, and don't know of any frameworks or other tools that might help me move in that direction. Any suggestions, both in terms of existing solutions and/or how to design my own implementation would be greatly appreciated.

+5  A: 

The easiest way is to demand that the user is a member of the role(s) required for the method in question with PrincipalPermissionAttribute.

[PrincipalPermission(SecurityAction.Demand, Role="Supervisor")]
[PrincipalPermission(SecurityAction.Demand, Role="Owner")]
pubic void DeleteSomething() {...}

Note that this means Supervisor OR Owner can DeleteSomething()

BC
Thanks and an up-vote. In my ignorance I never knew about the PrincipalPermission attribute, so I will look into that. I'm going to leave the question unanswered for awhile to see if it attracts any additional insights.
I Have the Hat
A: 

I don't think "PrincipalPermission" is a good approch. What If, I need to allow DeleteSomthing() for another role? similarly, If I need to remove existing role for DeleteSomthing()? The only way is changing the attributes at code level. This is not at all feasible for big projects.

I am also looking for a nice solution.