Access Control in ASP.NET MVC depending on input parameters / service layer?

by

First of all, I think you already half-way figured it, becuase you stated that

as first I’d need a different role for every product, and second I won’t know which role to check for until I’ve retrieved my Product from the Repository

I’ve seen so many attempts at making role-based security do something it was never intended to do, but you are already past that point, so that’s cool 🙂

The alternative to role-based security is ACL-based security, and I think that is what you need here.

You will still need to retrieve the ACL for a product and then check if the user has the right permission for the product. This is so context-sensitive and interaction-heavy that I think that a purely declarative approach is both too inflexible and too implicit (i.e. you may not realize how many database reads are involved in adding a single attribute to some code).

I think scenarios like this are best modeled by a class that encapsulates the ACL logic, allowing you to either Query for decision or making an Assertion based on the current context – something like this:

var p = this.ProductRepository.GetProductById(id);
var user = this.GetUser();
var permission = new ProductEditPermission(p);

If you just want to know whether the user can edit the product, you can issue a Query:

bool canEdit = permission.IsGrantedTo(user);

If you just want to ensure that the user has rights to continue, you can issue an Assertion:

permission.Demand(user);

This should then throw an exception if the permission is not granted.

This all assumes that the Product class (the variable p) has an associated ACL, like this:

public class Product
{
    public IEnumerable<ProductAccessRule> AccessRules { get; }

    // other members...
}

You might want to take a look at System.Security.AccessControl.FileSystemSecurity for inspiration about modeling ACLs.

If the current user is the same as Thread.CurrentPrincipal (which is the case in ASP.NET MVC, IIRC), you can simplyfy the above permission methods to:

bool canEdit = permission.IsGranted();

or

permission.Demand();

because the user would be implicit. You can take a look at System.Security.Permissions.PrincipalPermission for inspiration.

More Related Contents:

  1. Why map special routes first before common routes in asp.net mvc?
  2. getting the values from a nested complex object that is passed to a partial view
  3. jQuery Ajax calls and the Html.AntiForgeryToken()
  4. How to use jquery or ajax to update razor partial view in c#/asp.net for a MVC project
  5. Why LINQ to Entities does not recognize the method ‘System.String ToString()?
  6. How to mock the Request on Controller in ASP.Net MVC?
  7. How and where to define an environment variable on Azure
  8. ASP.NET MVC – How exactly to use View Models
  9. How to force ASP.NET Web API to always return JSON?
  10. How to disable a global filter in ASP.Net MVC selectively
  11. HTTP Error 403.14 – Forbidden The Web server is configured to not list the contents
  12. Stream file using ASP.NET MVC FileContentResult in a browser with a name?
  13. Where can I find a list of escape characters required for my JSON ajax return type?
  14. ASP.NET MVC Forms Authentication + Authorize Attribute + Simple Roles
  15. Unobtrusive validation not working on dynamically-added partial view
  16. MVC 3 Layout Page, Razor Template, and DropdownList
  17. Asp.Net MVC how to get view to generate PDF
  18. How to access Facebook private information by using ASP.NET Identity (OWIN)?
  19. What is routes.IgnoreRoute(“{resource}.axd/{*pathInfo}”)
  20. error with decimal in mvc3 – the value is not valid for field
  21. Use Entity framework I want to include only first children objects and not child of child(sub of sub)
  22. What does the Web.Config file do in the views folder of a MVC project
  23. How can I override the @Html.LabelFor template?
  24. Traditional ASP .NET Web Forms vs MVC
  25. Multiple Forms in same page ASP.net MVC
  26. change controller name convention in ASP.NET MVC
  27. ASP.NET WebApi vs MVC? [closed]
  28. Get [DisplayName] attribute of a property in strongly-typed way
  29. Howto allow “Illegal characters in path”?
  30. Mapping Lists using Automapper

Leave a Comment