Authorization based content from the Data Layer

Question

Hey

I'm working on a web-forum, of a sorts, or well, trying to design one using the ASP.NET MVC. However, user-role based content is quite a larger challenge than simply using a [Authorize] attribute, since the given output differs depending on the access roles.

So while a user member in the Moderators role should be able to see secrets sub-boards, a user part of the normal Member role should not.

For this I need to design my data layer correctly, but it's buzzing me how to do this, as I really want to follow the MVC pattern and apply the filtering in the Controller, but the issue comes up with nested content and relationships.

Because if the Category.Forum in IList should not be visible to a given user, then I would somehow need to use a single database query to fetch out Category.Forum, while a proper data layer would attempt to split it up into two DA modules, CategoryDA and ForumDA.

Another thing is the whole application of user roles though the Membership system, as a user can have several roles.

It's a bit hard to explain, but I guess a lot of people are familiar with typical bulletin boards, and might be able to give me some idea how to design my data access layer correct.

Thanks :)

Answer 1

It is probably easier to just create your own action filter to do authorization instead of using the basic [Authorize] attribute. Like this:

public class CheckPermission : ActionFilterAttribute
{
    public override void OnActionExecuting
        (ActionExecutingContext filterContext)
    {
        try
        {
            // do your security checks here
            // if NOT allow, throw NOTAUTHORIZED exception
        }
        catch (Exception ex)
        {
            // handle how to redirect - auto logout, etc
        }
        finally
        {
            base.OnActionExecuting(filterContext);
        }
    }
}