Abstract to Privileges rather than to Roles in ASP.NET Applications: ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
Abstract to Privileges rather than to Roles in ASP.NET Applications

page 2 of 3

by Steven Smith
Feedback

Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 25319/ 43

Article Contents:

The Solution

Represent the notion of access to a particular operation as a Privilege. For example, in this case we want to be able to say whether the current user is authorized to edit a particular article. That's all that's involved here. So we need an abstraction that allows us to refer to a user, an article, and a place to store the logic to say whether or not the operation is authorized. Something like this:

public abstract class Privilege<T>
{
  public abstract bool AuthorizedToEdit(T item, User user);
}
public class ArticlePrivilege : Privilege<Article>
{
  public override bool AuthorizedToEdit(Article item, User user)
  {
    if(user.IsInRole(Roles.Editor)) return true;
    if(user.IsInRole(Roles.Author))
   {
   return UserIsArticleAuthor(item,user) && ArticleNotSubmitted(item);
   }
  return false;
}
  // implement UserIsArticleAuthor() and ArticleNotSubmitted() here
}

Now within our page, if we want to determine whether the user is authorized to edit the article, we simply create a new privilege object and check its AuthorizedToEdit() method. This could easily be made into an extension method on User, Article, or both, if desired for convenience.

var articlePrivilege = new ArticlePrivilege();
 if(articlePrivilege.AuthorizedToEdit(article, currentUser))
{
  editLink.Visible = true;
}

« (Page 1)

View Entire Article

(Page 3) »

User Comments

Title: Dermatal
Name: Dermatal
Date: 2010-12-30 1:42:12 AM
Comment:
It is a actually adequate apprehend for me, to acquire that you are a allotment of the finest bloggers I acquire seen. Thanks for publishing this aboveboard cavalcade Developer Symposium | Trust.. Continue the adequate work, I acquire added you to my blogroll.

Title: Nice solution, but there is at least one other way
Name: Mark Kamoski
Date: 2010-12-29 11:56:04 AM
Comment:
Nice solution, but there is at least one other way. I usually use an added table bolted onto the ASP.NET Application Services tables that maps (object-type and action-type) and then grants (or denies) access to that operation. The calls look like something like this... bool hasPermission = SecurityHelper.HasPermission(CurrentUserName, ObjectName, ActionName); ...and so on. That works OK too. Just a thought. Thank you. -- Mark Kamoski

Title: use static
Name: Trevor
Date: 2010-12-29 11:12:51 AM
Comment:
I would prefer to see a static method below. ie.

ArticlePrivilege.AuthorizedToEdit

That way you don't need to instantiate a class for no reason.

----
var articlePrivilege = new ArticlePrivilege();
if(articlePrivilege.AuthorizedToEdit(article, currentUser))
{
editLink.Visible = true;
}
----

Product Spotlight