Implementing a Suspension or Penalty System for Users in ASP.NET MVC

Question

I'm writing a site in ASP.NET MVC that will have user accounts. As the site will be oriented towards discussion, I think I need a system for admins to be able to moderate users, just like we have here, on Stack Overflow. I'd like to be able to put a user into a "suspension", so that they are able to log in to the site (at which point they are greeted with a message, such as, "Your account has been suspended until [DATE]"), but are unable to do the functions that users they would normally be able to do.

What's the best way of implementing this?

I was thinking of creating a "Suspended" role, but the thing is, I have a few different roles for normal users themselves, with different privileges.

Have you ever designed a feature like this before? How should I do it? Thanks in advance.

Answer 1

I don't know what your object model looks like, but I would assume that any user could be suspended.

Edit: I've thought of an alternate solution which is probably simpler considering that you will need to serialize the data somewhere. Perhaps you could use a regular DateTime on your 'user' object, but initialize it to DateTime.MinValue for new users. Whenever you put a user 'in suspension', set suspendedUntil to the time they are suspended until.

DateTime suspendedUntil = DateTime.MinValue;

Whenever you need to check to see whether a user is in suspension or not, just compare suspendedUntil with DateTime.Now. If suspendedUntil comes after DateTime.Now, you know the user is suspended until the date and time specified. Otherwise, the user is not suspended. After a user comes out of suspension, there is no need to modify suspendedUntil since it will then be after DateTime.Now.

bool userIsSuspended = suspendedUntil > DateTime.Now;

Serializing the DateTime would be a matter of saving the value of suspendedUntil.ToBinary() and "rehydrating" it using DateTime.FromBinary(long).

Answer 2

I think roles is the way to go without writing lots of plumbing code.

Create a role called Active which everyone is a member of by default. Then take users out of that role while they are suspended.

Every action you want to deny to suspended users requires the Active role. Simples.

Answer 3

Let me convert a comment to an answer and rape Zach and James answers to provide what I think would be a workable solution without the need to enter the 'custom provider zone'. While writing custom providers is not terribly complicated it is my experience that if you can get the built in providers to do what you want, even if it requires a smell here or there, is always the best route.

Add a role, say WellGroomedAndBehavesSelf, that controls access to things that well groomed and behaved users should have access to.

Implement a profile in your web.config and add a ReinstateDate property (or UngroundedOnDate ;-D).

When a user misbehaves, remove them from the role WellGroomedAndBehavesSelf and set the ReinstateDate profile property.

In your login logic, override OnAuthenticate and check for a ReinstateDate profile property, if present and passed, clear it and add the user to the role WellGroomedAndBehavesSelf.

Done and no need for custom providers.

UPDATE: An alternate approach, and probably more robust preventing users from being grounded forever if somehow the profile gets cleared elsewhere than login logic, is to check for the role WellGroomedAndBehavesSelf and if missing, THEN check the profile for ReinstateDate. If it has passed or is not present, put the user back into WellGroomedAndBehavesSelf.

Same effect, but the subtle change in logic will provide a more robust solution.

How to implement Profiles:

If you are using a Web Site project look here.

If you are using a Web Application project look here.