0

I know it is possible to annotate action methods to control access depending on roles like [Authorize(Roles = "Publisher")] but how can I achieve the same result if the access control information comes from database and can be changed anytime.

For example: Create action method can be accessed by Publisher but cannot be tomorrow because Admin disallowed Publisher to Create. This information will come from database and I have to somehow put appropriate annotation in runtime.

I hope I was able to convey my question properly. Any suggestion is appreciated.

lbrahim
  • 3,710
  • 12
  • 57
  • 95

1 Answers1

1

Create action method can be accessed by Publisher but cannot be tomorrow because Admin disallowed Publisher to Create. This information will come from database and I have to somehow put appropriate annotation in runtime.

I wouldn't solve the problem the way you mentioned. Changing Authorize attribute from "Publisher" to something else at runtime is not a good solution. Instead what you can do is to manage users in Publisher Role (for example remove/add users to that role at runtime). What I mean is, let Publisher Role have access to Create Action, but on the SQL side, you manage users who come under publisher role. In that way, there is no need for you to change Authorize attribute at runtime.

To maintain your roles in a SQL Database and use them, you can go for Custom Role Provider.

ramiramilu
  • 17,044
  • 6
  • 49
  • 66
  • Thanks for your comment. As I mentioned, I will be making changes to the database but to reflect that, don't I have to restrict the user from accessing a particular `Action` and instead show a Access Denied `View`? AFAIK, I need `Authorize` attribute to do that. Please suggest. – lbrahim Feb 03 '14 at 12:41