I am writing an ASP.NET MVC 3 application and I have a number of roles:
System Admin, Customer Admin, Budget Owner, App Owner
I know that I can easily restrict access to certain controllers (and action methods) using the [Authorize(Roles="...")] attribute.
However some of the authorisation is not based purely on role, but on permissions. For example the budget owners should only be able to access budgets assigned to their cost centre - not other peoples budgets.
At present I have some code within the action methods to check for this:
if(UserCapabilities.CanAccessBudget(budgetId))
{
// get budget and show view
}
else
{
// redirect to index action
}
This is starting to make my code messy and make checking security a nightmare - as I have many action methods that need these different types of authorisation checks.
An idea that I have had is to write some custom attributes that I can use to decorate my action methods and clean up my code:
//
// GET: /Budgets/View/1
[CanAccessBudget]
public ActionResult View(int id)
{
//...
}
What do people think? Is writing custom attributes the cleanest and most maintainable way to go?
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 混吃等死 的文章《ASP.NET MVC 3 Custom Authorisation [closed]》','https://www.manongdao.com/article-156705.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}