views:

212

answers:

2

I am debating on whether or not to write my own authentication class. It's almost done but I think it could be better to use a role provider (either custom or the default.) I know you can assign users to roles, and then display info to the user based upon the current role. But what if you want to assign permission based upon a task? For example, say sometimes I want a role of editor to be able to modify other peoples posts, but other times I don't. That is a simple situation but I would like to have a finer grained level of authorization, instead of having a ton of roles (editor, editor-all-posts, etc.) Is this possible using a custom asp.net role provider, or should I just continue finishing my own system?

A: 

I'm not entirely sure what you mean, if you can clarify:

For example, say sometimes I want a role of editor to be able to modify other peoples posts, but other times I don't.

You can assign multiple roles to users. So I would have a base role, then progressively add functionality

Editor Moderator Admin Etc.

And a user can belong to all three.

DaRKoN_
say i have 2 forums, in one forum a user can edit other peoples posts, but in the other, they can only edit their own. now i need 2 roles. when i add a new user i need to add each role. i could be adding like 20 roles... is there anyway to assign user roles to a usergroup?
Shawn Simon
+1  A: 

The basic ASP.NET Role provider is flat structured - so a user needs to belong to all the roles they are a member of.

You would need to find/write a role provider that supports hierarchies - I'd recommend this route over something completely different as you will get some benefits from it such as the other aspects of the framework that work with these providers (login controls, config settings for authorisation/access etc).

Really you want something like:

  • User Role - Can post to forum, can edit their own posts.
  • Editor Role - Can do anything a user can, and can edit other posts.
  • Admin Role - Can do anything an editor can, and other adminy things.

So if a user is in the Editor role, they are automatically given rights as a user, etc.

Then your choices are either:

  1. Duplicate those roles for each forum, assign users to them etc.
  2. Add a couple of properties to your users profiles, say "ForumEdit" and "ForumAdmin", and store a list of forums they are able to edit/admin in there.

The advantage of (1) is that you only need to do one check to see if the user can perform admin/edit tasks, but you have a higher overhead of managing all these roles.

The advantage of (2) is that it's easy to manage the roles, you can remove a user from the editors group, and they lose all editor rights for example, but you have a higher cost to determine whether they are actually an editor for that forum as you need to query their profile.

Similar answer to this one here really.

Zhaph - Ben Duguid