How to place logic for several different roles in ASP.net MVC 2

Question

Hello fellow developers,

I am a bit new to ASP.NET MVC and I have a bit of an ordeal. I am developing a website with several roles in it and of course the logic and gui that the user gets depends on the role (duh).

There are 10 separate roles in this application. They do share most of the same functionality but some screens will be different depending on which roles they are in.

Heres my question. All examples and tutorials I've read on the internet and the Apress book that I have been reading show an example how to implement roles with one role (Admin) in which the common way is to provide an Admin Controller (or even Admin area) for the authorized section of the site. However, what if there are 10 roles? Do I really need to code up 10 separate controllers?

Let me help the question by giving detail what is being developed. There will be a menu and the menu items will be filtered by role of what views(or pages) they can and cannot get. The from what they select, it will provide them a restricted view(or authorized page) which from within will provide a plethora of functionality limited to just that role.

I know there are several different ways to do this, I just want to know what is the recommended or "clean" way.

Have any of you been in this situation and if so, how did you organize the logic for multiple roles? Separate all roles to separate controllers? Have few controllers but just apply authorize filtering on the action methods? Apply the role filtering within the views or partial views and leave the controllers alone?

Unfortunately there are little resources for how to implement several roles out there, I just want to know how to do it the "correct" way in terms of separating the logic.

Answer 1

I would put the pieces of functionality into partial views. Have one controller per piece of website and load partial views based on the role and what should be exposed.

I would only stray from that if you have an excessive amount of differences, like an administrator would possible have. Then I typically make an area to encapsulate that functionality.

Regardless of the controller separation I would definitely use partial views to minimize duplication of similar code. You will reap the benefits when you need to maintain that code.

Answer 2

Use Authorize on the action methods and apply the roles allowed for the operation.

Depending on what's appropriate for the scenario, build a list of available actions from the controller and send that to the view as part of the view model. In some cases its more appropriate to send a simpler view model that tells the view whether each operation is allowed i.e. CanDelete, CanEdit, CanViewDetailedInfo etc.

I'd start with that, and depending on the actual complexity re-factor to any combination of:

• An ActionFilter that populates the available actions / instead of explicitly doing it in the controller
• Use reflector to look for the list of roles applied in authorize / so you only specify roles once
• Your own html helpers that take authorization into account. So when you declare an action link, its only output when the action is supported.