I wish to lock out access to a user's EDIT page (eg. /user/pure.krome/edit) if

a) Identity.IsAuthenticated = false

or they are authenticated but

b) Idenitity.Name != user name of the user page they are trying to edit
c) Identity.UserType() != UserType.Administrator // This is like a Role, without using RoleProviders.

I'm assuming u can decorate a controller or a controller's action method with something(s), but i'm just not sure what?

Look at the AuthorizeAttribute.

ASP.Net MVC: Can the AuthorizeAttribute be overriden?

A custom attribute derived from AuthorizeAttribute is what I use to do this. Override the OnAuthorize method and implement your own logic.

public class OnlyUserAuthorizedAttribute : AuthorizeAttribute
{
    public override void OnAuthorize( AuthorizationContext filterContext )
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new HttpUnauthorizeResult();
        }
        ...
    }
}

I implemented the following ActionFilterAttribute and it works to handle both authentication and roles. I am storing roles in my own DB tables like this:

• User
• UserRole (contains UserID and RoleID foreign keys)
• Role

public class CheckRoleAttribute : ActionFilterAttribute
{
    public string[] AllowedRoles { get; set; }


    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        string userName = filterContext.HttpContext.User.Identity.Name;

        if (filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            if (AllowedRoles.Count() > 0)
            {
                IUserRepository userRepository = new UserRepository();
                User user = userRepository.GetUser(userName);
                bool userAuthorized = false;
                foreach (Role userRole in user.Roles)
                {
                    userAuthorized = false;
                    foreach (string allowedRole in AllowedRoles)
                    {
                        if (userRole.Name == allowedRole)
                        {
                            userAuthorized = true;
                            break;
                        }
                    }
                }
                if (userAuthorized == false)
                {
                    filterContext.HttpContext.Response.Redirect("/Account/AccessViolation", true);
                }
            }
            else
            {
                filterContext.HttpContext.Response.Redirect("/Account/AccessViolation", true);
            }
        }
        else
        {
            filterContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl + String.Format("?ReturnUrl={0}", filterContext.HttpContext.Request.Url.AbsolutePath), true);
        }


    }

I call this like this...

    [CheckRole(AllowedRoles = new string[] { "admin" })]
    public ActionResult Delete(int id)
    {
        //delete logic here
    }