0

I have been struggling with the arcitecture for my permission handling on an application I'm building. Basically it consists of permissions for each different view on the web page.

For example, permissions for the Service part of the website would look like the following:

public bool ServiceView { get; set; }
public bool ServiceEdit { get; set; }
public bool ServiceCreate { get; set; }
public bool ServiceDelete { get; set; }

Where ServiceView let's you view services, ServiceEdit let's you edit them, and so on.

To check if a user has permission my first thought was to build a nested switch-case, like so:

public bool IsAuthorized(string controller, string action)
{
    switch (controller)
    {
        case "Customer":
            switch (action)
            {
                case "Index":
                case "Details": return CustomerView;
                case "Edit": return CustomerEdit;
                case "Create": return CustomerCreate;
                case "Delete": return CustomerDelete;
            }
        case "Service":
            switch (action)
            {
                case "Index":
                case "Details": return ServiceView;
                case "Edit": return ServiceEdit;
                case "Create": return ServiceCreate;
                case "Delete": return ServiceDelete;
            }
        default: return false;
    }
}

This however seems really ugly to me, so I'm wondering if anyone has any tips for a simpler and probably more beautiful way of doing this?

I have been googling around a bit to get inspiration, and came across a reflection-based way where you try to match the string to the property. Might that be a better way?

Here are some related links, that doesn't really give me the answer I'm looking for:
1. This related thread, which doesn't really get into details.
2. Another related thread, that neither goes into details, and where the accepted answer is role-based.
3. The answer to this thread is another way it could be handled.

Any help is highly appreciated.

Cheers!

Community
  • 1
  • 1
Robin Dorbell
  • 1,569
  • 1
  • 13
  • 26
  • What's wrong with using role-based authorization? In your case I can see two roles, *Customer* and *Service*. Why not use them as such? Also you should not authorize views, but controller actions. Build up your views without any knowledge of the user viewing it. That's logic and therefor belongs to the controller. It's the controller's responsibility to check if the current user may see your view and return it if he's authorized or an error if not. – Carsten Apr 14 '14 at 13:31
  • Thanks for your response. Can a Customer really be represented by a role? If say, you have the Customer role, but only have access to view customers, and not to edit them, and/or create/delete them. A controller is used since it's asp.net MVC. And it controlls if you're authorized for the action requested. The "IsAuthorized"-method is only a helper to check if a user is authorized. – Robin Dorbell Apr 14 '14 at 19:46
  • You can use the [`AuthorizeAttribute`](http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx) in order to mark the create and edit actions of the controller to require an authenticated user to be in a certain role to call those actions. Each action should have it's own view and from the index view you can use `@User.IsInRole` to toggle the visibility of the links, pointing to those actions. – Carsten Apr 15 '14 at 06:52
  • Aye. That's what I'm currently doing. But using roles would mean there's a role for each permission. Say for example a role is CustomerView, which allows the user to view customers, and another role could be CustomerCreate, which allows the user to create Customers? – Robin Dorbell Apr 15 '14 at 10:57
  • Actually not, what you are talking of are permissions, but permissions result out of roles. If you authorize your customer create, view and edit actions for service, only service users may call those actions. The only shared action would be view in this case. – Carsten Apr 15 '14 at 12:42

0 Answers0