Dynamic AuthorizeAttribute with database












2












$begingroup$


I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity







share|improve this question











$endgroup$












  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47
















2












$begingroup$


I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity







share|improve this question











$endgroup$












  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47














2












2








2


1



$begingroup$


I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity







share|improve this question











$endgroup$




I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity




c# entity-framework asp.net-mvc authorization asp.net-identity






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 20 '18 at 19:15









Jamal

30.4k11120227




30.4k11120227










asked May 18 '18 at 16:04









AminMAminM

667




667












  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47


















  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47
















$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33




$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33












$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35




$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35












$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58




$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58












$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56




$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56












$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47




$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47










1 Answer
1






active

oldest

votes


















0












$begingroup$

Yes.
You are close, man!



You have to make relashionships between pairs of controller+action to some user actions.



For example:
Security Staff can only view Personal Info:
- View Personal



Then your HHRR Manager can:
- View Personal
- Add Personal
- Edit Personal



And finally HHRR Director he can do more actions like:




  • View Personal

  • Add Personal

  • Edit Personal

  • Delete Personl


And now in game you should include some extra tables, bro! hehehehehehe



Lets say your system has HHRR module.
Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




  • HHRR Director

  • HHRR Manager

  • Security Staff


Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
where you keep relashionships between controller methods and those "roles".



This approach allows use




1) Ignore methods that are not described in WebSiteAccessModuleActions



2) Build very flexible ACL subsystem.




As you see we manipulate kinda of groups of controller methods represented in
a user friendly manner



- HHRR Director

- HHRR Manager

- Security Staff


So when I said you are close it is just implement one more level of abstraction.



Enjoy, dude!



enter image description here



P.S. Include Area columnto the WebSiteAccessModuleActions if you have
identical controller in several website's areas.






share|improve this answer










New contributor




Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$













    Your Answer





    StackExchange.ifUsing("editor", function () {
    return StackExchange.using("mathjaxEditing", function () {
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
    });
    });
    }, "mathjax-editing");

    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "196"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194707%2fdynamic-authorizeattribute-with-database%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0












    $begingroup$

    Yes.
    You are close, man!



    You have to make relashionships between pairs of controller+action to some user actions.



    For example:
    Security Staff can only view Personal Info:
    - View Personal



    Then your HHRR Manager can:
    - View Personal
    - Add Personal
    - Edit Personal



    And finally HHRR Director he can do more actions like:




    • View Personal

    • Add Personal

    • Edit Personal

    • Delete Personl


    And now in game you should include some extra tables, bro! hehehehehehe



    Lets say your system has HHRR module.
    Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




    • HHRR Director

    • HHRR Manager

    • Security Staff


    Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



    And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
    where you keep relashionships between controller methods and those "roles".



    This approach allows use




    1) Ignore methods that are not described in WebSiteAccessModuleActions



    2) Build very flexible ACL subsystem.




    As you see we manipulate kinda of groups of controller methods represented in
    a user friendly manner



    - HHRR Director
    
- HHRR Manager
    
- Security Staff


    So when I said you are close it is just implement one more level of abstraction.



    Enjoy, dude!



    enter image description here



    P.S. Include Area columnto the WebSiteAccessModuleActions if you have
    identical controller in several website's areas.






    share|improve this answer










    New contributor




    Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






    $endgroup$


















      0












      $begingroup$

      Yes.
      You are close, man!



      You have to make relashionships between pairs of controller+action to some user actions.



      For example:
      Security Staff can only view Personal Info:
      - View Personal



      Then your HHRR Manager can:
      - View Personal
      - Add Personal
      - Edit Personal



      And finally HHRR Director he can do more actions like:




      • View Personal

      • Add Personal

      • Edit Personal

      • Delete Personl


      And now in game you should include some extra tables, bro! hehehehehehe



      Lets say your system has HHRR module.
      Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




      • HHRR Director

      • HHRR Manager

      • Security Staff


      Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



      And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
      where you keep relashionships between controller methods and those "roles".



      This approach allows use




      1) Ignore methods that are not described in WebSiteAccessModuleActions



      2) Build very flexible ACL subsystem.




      As you see we manipulate kinda of groups of controller methods represented in
      a user friendly manner



      - HHRR Director
      
- HHRR Manager
      
- Security Staff


      So when I said you are close it is just implement one more level of abstraction.



      Enjoy, dude!



      enter image description here



      P.S. Include Area columnto the WebSiteAccessModuleActions if you have
      identical controller in several website's areas.






      share|improve this answer










      New contributor




      Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      $endgroup$
















        0












        0








        0





        $begingroup$

        Yes.
        You are close, man!



        You have to make relashionships between pairs of controller+action to some user actions.



        For example:
        Security Staff can only view Personal Info:
        - View Personal



        Then your HHRR Manager can:
        - View Personal
        - Add Personal
        - Edit Personal



        And finally HHRR Director he can do more actions like:




        • View Personal

        • Add Personal

        • Edit Personal

        • Delete Personl


        And now in game you should include some extra tables, bro! hehehehehehe



        Lets say your system has HHRR module.
        Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




        • HHRR Director

        • HHRR Manager

        • Security Staff


        Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



        And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
        where you keep relashionships between controller methods and those "roles".



        This approach allows use




        1) Ignore methods that are not described in WebSiteAccessModuleActions



        2) Build very flexible ACL subsystem.




        As you see we manipulate kinda of groups of controller methods represented in
        a user friendly manner



        - HHRR Director
        
- HHRR Manager
        
- Security Staff


        So when I said you are close it is just implement one more level of abstraction.



        Enjoy, dude!



        enter image description here



        P.S. Include Area columnto the WebSiteAccessModuleActions if you have
        identical controller in several website's areas.






        share|improve this answer










        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        $endgroup$



        Yes.
        You are close, man!



        You have to make relashionships between pairs of controller+action to some user actions.



        For example:
        Security Staff can only view Personal Info:
        - View Personal



        Then your HHRR Manager can:
        - View Personal
        - Add Personal
        - Edit Personal



        And finally HHRR Director he can do more actions like:




        • View Personal

        • Add Personal

        • Edit Personal

        • Delete Personl


        And now in game you should include some extra tables, bro! hehehehehehe



        Lets say your system has HHRR module.
        Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




        • HHRR Director

        • HHRR Manager

        • Security Staff


        Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



        And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
        where you keep relashionships between controller methods and those "roles".



        This approach allows use




        1) Ignore methods that are not described in WebSiteAccessModuleActions



        2) Build very flexible ACL subsystem.




        As you see we manipulate kinda of groups of controller methods represented in
        a user friendly manner



        - HHRR Director
        
- HHRR Manager
        
- Security Staff


        So when I said you are close it is just implement one more level of abstraction.



        Enjoy, dude!



        enter image description here



        P.S. Include Area columnto the WebSiteAccessModuleActions if you have
        identical controller in several website's areas.







        share|improve this answer










        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer








        edited 6 mins ago





















        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 16 mins ago









        Academy of ProgrammerAcademy of Programmer

        1013




        1013




        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Code Review Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194707%2fdynamic-authorizeattribute-with-database%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Список кардиналов, возведённых папой римским Каликстом III

            Image
            Папа Каликст III Кардиналы, возведённые Папой римским Каликстом III  — 9 прелатов и мирян были возведены в сан кардинала на двух Консисториях за трёхлетний понтификат Каликста III. Самой крупной консисторией были Консистория от 17 декабря 1456 года, на которой было возведено шесть кардиналов. Папа Каллист III хотел назвать отца Жан Сорета, O.Carm., епископом или кардиналом, но он отказался, потому что хотел посвятить себя своему ордену и продвижению религиозного рвения и соблюдения устава монашеского ордена. Консистория от 17 сентября 1456 года | Луис Хуан дель Мила, племянник Его Святейшества, епископ Сегорбе (королевство Арагон); Жайме Португальский, администратор архиепархии Лиссабона (королевство Португалия); Родриго де Борха-и-Борха, племянник Его Святейшества, ризничий Валенсии (Папская область). Консистория от 17 декабря 1456 года | Ринальдо Пишичелло, архиепископ Неаполя (Неаполитанское королевство); Хуан де Мелья, епископ Саморы (королевство Ка
            Read more

            Deduzione

            Image
            .mw-parser-output .nota-disambigua{clear:both;margin-bottom:.5em;border:1px solid #CCC;padding-left:4px}.mw-parser-output .nota-disambigua i{vertical-align:middle} Disambiguazione – Se stai cercando il teorema, vedi Teorema di deduzione . Disambiguazione – Se stai cercando il concetto di deduzione in economia, vedi deduzione fiscale . Il ragionamento deduttivo umano assimilato a un meccanismo Il metodo deduttivo o deduzione è il procedimento razionale che fa derivare una certa conclusione da premesse più generiche, dentro cui quella conclusione è implicita. Il termine significa letteralmente «condurre da», perché proviene dal latino "de" (traducibile con da , preposizione indicante provenienza, o moto di discesa dall'alto verso il basso) e "ducere" ( condurre ). Questo metodo parte da postulati e princìpi primi e, attraverso una serie di rigorose concatenazioni logiche, procede verso determinazioni più particolari attinenti alla realtà tangi
            Read more

            Mysql.sock missing - “Can't connect to local MySQL server through socket”

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 Operating System - OSX 10.11.2 MAMP version - 3.5 I'm following along with this guide, setting up wordpress with Xammp on PC and MAMP on Mac, where I'm in step "Mac - 4" is asked to input: "In the Terminal run: /Applications/MAMP/Library/bin/mysqladmin -u root -p password {Your Windows MySQL password here}" However, this (with out bracket text) results in error message: error: 'Can't connect to local MySQL server through socket '/Applications/MAMP/tmp/mysql/mysql.sock' (2)' Check that mysqld is running and that the socket: '/Applications/MAMP/tmp/mysql/mysql.sock'
            Read more