1

Possible Duplicate:
ASP.NET MVC3 Role and Permission Management -> With Runtime Permission Assignment

Say I have an ActionResult Members in a controller that should only allow members to access it. Normally I would just put a [Authorize(Roles = "Members")] attribute on the action to only allow authenticated users in the Members role to access it.

Is there a way I can allow admins (or whatever) to change it in the future to lets say [Authorize(Roles = "Members, PotentialMembers ")] (this would allow users in the roles Members and PotentialMembers to access this action?

Thanks

Community
  • 1
  • 1
Garrett Fogerlie
  • 4,450
  • 3
  • 37
  • 56

2 Answers2

0

No, you can't do this with the AuthorizeAttribute. The roles you pass into it are hard compiled into the application.

There are other ways to go about it, though. You could write your own authorization filter. Or you could just create a base class that overrides OnAuthorization or similar.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
0

You can't, unfortunately, do this with the default attribute. You could, however, write your own attribute by inheriting from Authorize (or you can readily get the source for Authorize on the web).

From there, you would have to devise a mechanism for a) storing the allowed roles per controller through some kind of interface, and b) using those mappings in your custom filter attribute to allow/deny access.

If you were to do this, I would recommend loading the mapping at application start up and using an in-memory manager to signal configuration changes.

MisterJames
  • 3,306
  • 1
  • 30
  • 48