I'm writing an application that will support customizable Users and Roles. By customizable, I mean that an administration form will be provided allowing the addition of Users, the creation of Roles, the assignment of Users to Roles, and most importantly the ability to associate authorization rules with Roles. When viewing a Role, an administrator would be presented with a series of checkboxes, for example, allowing them to authorize a role for areas of program functionality at their discretion. I need to be able to write code in the application such as:
if (!currentUser.IsAuthorizedTo(AuthorizationRules.ADD_ORDER))
//Show not authorized message or prompt for elevation
Where the IsAuthorizedTo would look at the current user's roles and determine if any of them have the requisite authorization.
I've looked through the API docs and only found the web.config authorizations section, which is less than optimal. I'm guessing I may have to roll my own, but I thought I'd first ask:
Is there an existing method using the .net membership/roles api or another suggested system (other than .net membership api) to allow fine grained authorization based on roles and access rules?
The
AuthorizeAttributehas aRolesproperty that may be useful. It would restrict certain controllers or actions to the specified roles.More here.
Update:
Here's an example from the NerdDinner project: