Dynamic AuthorizeAttribute with database












2












$begingroup$


I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity







share|improve this question











$endgroup$












  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47
















2












$begingroup$


I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity







share|improve this question











$endgroup$












  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47














2












2








2


1



$begingroup$


I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity







share|improve this question











$endgroup$




I want to create a AuthorizeAttribute that gets the current ActionMethod RouteData and searches in a database for a user that has access to this ActionMethod.



I created a UserAccessPermission table:



public class UserAccessPermission

{

    [Key]

  public int  UserAccessPermissionId { get; set; }

    public string ActionMethod { get; set; }

    public string Controller { get; set; }

    public string Area { get; set; }

    public bool HasAccess { get; set; }



    [DisplayName("User ID")]

    [ForeignKey("ApplicationUser")]

    public string Id { get; set; }

    [DisplayName("User")]

    public virtual ApplicationUser ApplicationUser { get; set; }



}


and then link it to the User table:



 public class ApplicationUser : IdentityUser

{

    public ApplicationUser()

    {

        AccessPermissions = new HashSet<UserAccessPermission>();



    }

 some custome field



    //*******************************************************************



    public virtual ICollection<UserAccessPermission> AccessPermissions { get; set; }



 }


so each user has multi ActionMethod that can access it. Then I create my custom AuthorizeAttribute:



  public class DynamicRoleAuthorizeAttribute : AuthorizeAttribute

{

   private readonly UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));



    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool result = false;

        if (httpContext == null)

        {

            throw new ArgumentNullException("httpContext");

        }



        IPrincipal user = httpContext.User;

        if (!user.Identity.IsAuthenticated)

        {

            return false;

        }





        //var rolesProvider = new RoleProvider();

        var routeData = httpContext.Request.RequestContext.RouteData;

        var controller = routeData.GetRequiredString("controller");

        var action = routeData.GetRequiredString("action");

        string area = null;

        var userId = httpContext.User.Identity.GetUserId();

        var _user = _userManager.FindById(userId);



        if (routeData.DataTokens["area"] != null)

        {

            area = routeData.GetRequiredString("area");

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action) && x.Area.Equals(area)).Select(x => x.HasAccess).FirstOrDefault();



        }

        else

        {

            result = _user.AccessPermissions.Where(x => x.Controller.Equals(controller) && x.ActionMethod.Equals(action)).Select(x => x.HasAccess).FirstOrDefault();



        }





        if (result)

        {

            return true;

        }



        return false;

        //return base.AuthorizeCore(httpContext);

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


But this approach is too hard for page management and the admin should give user access permission for each ActionMethod. Is there any better way to do this?






c# entity-framework asp.net-mvc authorization asp.net-identity




c# entity-framework asp.net-mvc authorization asp.net-identity






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 20 '18 at 19:15









Jamal

30.4k11120227




30.4k11120227










asked May 18 '18 at 16:04









AminMAminM

667




667












  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47


















  • $begingroup$
    Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:33










  • $begingroup$
    A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
    $endgroup$
    – Gert Arnold
    May 20 '18 at 19:35










  • $begingroup$
    @GertArnold what do you mean by 'building blocks of your application'??
    $endgroup$
    – AminM
    May 20 '18 at 20:58










  • $begingroup$
    AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
    $endgroup$
    – Gert Arnold
    May 22 '18 at 6:56










  • $begingroup$
    @GertArnold what should i do know?
    $endgroup$
    – AminM
    May 24 '18 at 15:47
















$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33




$begingroup$
Designing appropriate authorization usually requires a lot more information analysis than can be offered in a Code Review question. We know nothing of the building blocks of your application, required access levels or required granularity of the authorization. I really wouldn't know where to start. "Too broad" if you ask me.
$endgroup$
– Gert Arnold
May 20 '18 at 19:33












$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35




$begingroup$
A good start could be to look at industry standards, for example claims and scopes as implemented by IdentityServer.
$endgroup$
– Gert Arnold
May 20 '18 at 19:35












$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58




$begingroup$
@GertArnold what do you mean by 'building blocks of your application'??
$endgroup$
– AminM
May 20 '18 at 20:58












$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56




$begingroup$
AKA aggregates: distinct parts of the application, some of which may require fine-grained authorization, some may be authorizable as a whole or are authorization-free, etc.
$endgroup$
– Gert Arnold
May 22 '18 at 6:56












$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47




$begingroup$
@GertArnold what should i do know?
$endgroup$
– AminM
May 24 '18 at 15:47










1 Answer
1






active

oldest

votes


















0












$begingroup$

Yes.
You are close, man!



You have to make relashionships between pairs of controller+action to some user actions.



For example:
Security Staff can only view Personal Info:
- View Personal



Then your HHRR Manager can:
- View Personal
- Add Personal
- Edit Personal



And finally HHRR Director he can do more actions like:




  • View Personal

  • Add Personal

  • Edit Personal

  • Delete Personl


And now in game you should include some extra tables, bro! hehehehehehe



Lets say your system has HHRR module.
Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




  • HHRR Director

  • HHRR Manager

  • Security Staff


Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
where you keep relashionships between controller methods and those "roles".



This approach allows use




1) Ignore methods that are not described in WebSiteAccessModuleActions



2) Build very flexible ACL subsystem.




As you see we manipulate kinda of groups of controller methods represented in
a user friendly manner



- HHRR Director

- HHRR Manager

- Security Staff


So when I said you are close it is just implement one more level of abstraction.



Enjoy, dude!



enter image description here



P.S. Include Area columnto the WebSiteAccessModuleActions if you have
identical controller in several website's areas.






share|improve this answer










New contributor




Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$













    Your Answer





    StackExchange.ifUsing("editor", function () {
    return StackExchange.using("mathjaxEditing", function () {
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
    });
    });
    }, "mathjax-editing");

    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "196"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194707%2fdynamic-authorizeattribute-with-database%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0












    $begingroup$

    Yes.
    You are close, man!



    You have to make relashionships between pairs of controller+action to some user actions.



    For example:
    Security Staff can only view Personal Info:
    - View Personal



    Then your HHRR Manager can:
    - View Personal
    - Add Personal
    - Edit Personal



    And finally HHRR Director he can do more actions like:




    • View Personal

    • Add Personal

    • Edit Personal

    • Delete Personl


    And now in game you should include some extra tables, bro! hehehehehehe



    Lets say your system has HHRR module.
    Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




    • HHRR Director

    • HHRR Manager

    • Security Staff


    Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



    And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
    where you keep relashionships between controller methods and those "roles".



    This approach allows use




    1) Ignore methods that are not described in WebSiteAccessModuleActions



    2) Build very flexible ACL subsystem.




    As you see we manipulate kinda of groups of controller methods represented in
    a user friendly manner



    - HHRR Director
    
- HHRR Manager
    
- Security Staff


    So when I said you are close it is just implement one more level of abstraction.



    Enjoy, dude!



    enter image description here



    P.S. Include Area columnto the WebSiteAccessModuleActions if you have
    identical controller in several website's areas.






    share|improve this answer










    New contributor




    Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






    $endgroup$


















      0












      $begingroup$

      Yes.
      You are close, man!



      You have to make relashionships between pairs of controller+action to some user actions.



      For example:
      Security Staff can only view Personal Info:
      - View Personal



      Then your HHRR Manager can:
      - View Personal
      - Add Personal
      - Edit Personal



      And finally HHRR Director he can do more actions like:




      • View Personal

      • Add Personal

      • Edit Personal

      • Delete Personl


      And now in game you should include some extra tables, bro! hehehehehehe



      Lets say your system has HHRR module.
      Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




      • HHRR Director

      • HHRR Manager

      • Security Staff


      Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



      And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
      where you keep relashionships between controller methods and those "roles".



      This approach allows use




      1) Ignore methods that are not described in WebSiteAccessModuleActions



      2) Build very flexible ACL subsystem.




      As you see we manipulate kinda of groups of controller methods represented in
      a user friendly manner



      - HHRR Director
      
- HHRR Manager
      
- Security Staff


      So when I said you are close it is just implement one more level of abstraction.



      Enjoy, dude!



      enter image description here



      P.S. Include Area columnto the WebSiteAccessModuleActions if you have
      identical controller in several website's areas.






      share|improve this answer










      New contributor




      Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      $endgroup$
















        0












        0








        0





        $begingroup$

        Yes.
        You are close, man!



        You have to make relashionships between pairs of controller+action to some user actions.



        For example:
        Security Staff can only view Personal Info:
        - View Personal



        Then your HHRR Manager can:
        - View Personal
        - Add Personal
        - Edit Personal



        And finally HHRR Director he can do more actions like:




        • View Personal

        • Add Personal

        • Edit Personal

        • Delete Personl


        And now in game you should include some extra tables, bro! hehehehehehe



        Lets say your system has HHRR module.
        Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




        • HHRR Director

        • HHRR Manager

        • Security Staff


        Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



        And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
        where you keep relashionships between controller methods and those "roles".



        This approach allows use




        1) Ignore methods that are not described in WebSiteAccessModuleActions



        2) Build very flexible ACL subsystem.




        As you see we manipulate kinda of groups of controller methods represented in
        a user friendly manner



        - HHRR Director
        
- HHRR Manager
        
- Security Staff


        So when I said you are close it is just implement one more level of abstraction.



        Enjoy, dude!



        enter image description here



        P.S. Include Area columnto the WebSiteAccessModuleActions if you have
        identical controller in several website's areas.






        share|improve this answer










        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        $endgroup$



        Yes.
        You are close, man!



        You have to make relashionships between pairs of controller+action to some user actions.



        For example:
        Security Staff can only view Personal Info:
        - View Personal



        Then your HHRR Manager can:
        - View Personal
        - Add Personal
        - Edit Personal



        And finally HHRR Director he can do more actions like:




        • View Personal

        • Add Personal

        • Edit Personal

        • Delete Personl


        And now in game you should include some extra tables, bro! hehehehehehe



        Lets say your system has HHRR module.
        Add this module record to the AccessModule table. Then add 3 records to AccessModuleActions like




        • HHRR Director

        • HHRR Manager

        • Security Staff


        Apply ACL to each user via PersonalModuleActions table. Acctually you should use PersonalModuleActions at website admin GUI area.



        And internally (no GUI for it) you will gonna use WebSiteAccessModuleActions table
        where you keep relashionships between controller methods and those "roles".



        This approach allows use




        1) Ignore methods that are not described in WebSiteAccessModuleActions



        2) Build very flexible ACL subsystem.




        As you see we manipulate kinda of groups of controller methods represented in
        a user friendly manner



        - HHRR Director
        
- HHRR Manager
        
- Security Staff


        So when I said you are close it is just implement one more level of abstraction.



        Enjoy, dude!



        enter image description here



        P.S. Include Area columnto the WebSiteAccessModuleActions if you have
        identical controller in several website's areas.







        share|improve this answer










        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer








        edited 6 mins ago





















        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 16 mins ago









        Academy of ProgrammerAcademy of Programmer

        1013




        1013




        New contributor




        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        Academy of Programmer is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Code Review Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f194707%2fdynamic-authorizeattribute-with-database%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Сан-Квентин

            Image
            Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
            Read more

            Алькесар

            Image
            Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
            Read more

            8-я гвардейская общевойсковая армия

            Image
            8-я гвардейская общевойсковая ордена Ленина армия Награды: Войска: РККА → Советская армия → СВ России Род войск: Формирование: 1943 Расформирование (преобразование): 1992 Предшественник: 62-я армия (1942—43) → 8-я гвардейская общевойсковая армия (1943—92) → 8-й гвардейский армейский корпус (1992—98) Боевой путь Изюм-Барвенковская операция Донбасская операция Запорожская операция Битва за Днепр Днепропетровская операция Березнеговато-Снигирёвская операция Одесская операция Люблин-Брестская операция Варшавско-Познанская операция Восточно-Померанская операция Берлинская наступательная операция У этого термина существуют и другие значения, см. 8-я армия. Фотография Гвардейского Красного Знамени (лицевая сторона) 8-й гвардейской армии , образца 1943 года. Фотография Гвардейского Красного Знамени (оборотная сторона) 8-й гвардейской армии , образца 1943 года. 8-я гвардейская общевойсковая ордена Ленина армия  — гвардейское фор
            Read more