使用EF在MVC4中实现公司，部门，部门用户访问控制

Question

This is my first question on stackoverflow, so please be gentle. I am writing a customer portal to a warehouse application using MVC4, Entity Framework and SimpleMembership. The warehouse hosts contents for multiple companies. Each company has divisions and departments. The users will have varying access to the information for their company, divisions, and departments. I am looking for an elegant solution for access control. So far, my model looks like this:

public class UserProfile
{
    UserProfile()
    {
        this.AccessControl = new HashSet<AccessControl>();
    }

    [Key]
    [DatabaseGeneratedAttribute(DatabaseGeneratedOption.Identity)]
    public int UserId { get; set; }
    public string UserName { get; set; }
    public Nullable<int> CompanyId { get; set; }
    public virtual ICollection<AccessControl> { get; set; }
    public virtual Company Company { get; set; }
}

public class AccessControl
{
    public int AccessControlId { get; set; }
    public int UserId { get; set; }
    public int CompanyId { get; set; }
    public Nullable<int> DivisionId { get; set; }
    public Nullable<int> DepartmentId { get; set; }
    public Boolean ReadAccess { get; set; }
    public Boolean WriteAccess { get; set; }

    // other properties for access control

    public virtual UserProfile UserProfile { get; set; }
    public virtual Company Company { get; set; }
    public virtual Division Division { get; set; }
    public virtual Department Department { get; set; }
}

public class Content
{
    public int ContentId { get; set; }
    public int CompanyId { get; set; }
    public int DivisionId { get; set; }
    public int DepartmentId { get; set; }

    // Various other properties

    public virtual Company Company { get; set; }
    public virtual Division Division { get; set; }
    public virtual Department { get; set; }
}

My thought was that a NULL Division means all divisions and a NULL Department means all departments. My questions are:

1. What is an elegant way to write the repository method to retrieve a list of Content objects for a user based on their access control list as well as populating division and department select lists in CRUD views?
2. Is there a better way to model this access control list?

Answer 1

I don't think this addresses all of your questions yet, but I think a repository that looks something like this:

public class accessRepository
{
    accessContext context = new accessContext();

    public IQueryable<Content> GetAccessibleContentFor(int userId)
    {
        var up = context.UserProfiles.Single(u => u.UserId == userId);
        var companyId = up.CompanyId;

        return from c in context.Content 
               where c.CompanyId == companyId 
               && (up.AccessControl.Any(
                    a=> 
                        a.CompanyId == c.CompanyId && 
                        a.DivisionId == c.DivisionId && 
                        a.DepartmentId == c.DepartmentId) 
               || up.AccessControl.Any(
                    a=>a.CompanyId == c.CompanyId && 
                        a.DivisionId == c.DivisionId && 
                        a.DepartmentId == null)
               || up.AccessControl.Any(
                    a=>
                        a.CompanyId == c.CompanyId && 
                        a.DivisionId == null)
               select c;
    }
}

would allow you get back the content that is accessible if:

1. The content belongs to the user's Company.
2. The user Can access content for the Company, Division, and Department
3. Or the user can access content for the Company and Division (all Departments)
4. Or the user can access content for the Company (all divisions) [ all departments, is assumed in this case.]

Answer 2

You should look into a policy- and attribute-based solution that's independent of your app where you can write authorization policies eg

a user can access content in the warehouse if the content.department==user.department && content.company==user.company.

XACML sounds like the perfect model. I wrote this demo where I do access control on purchase orders based on the purchaser, the amount, the location and the status of the PO. I don't need to change the app code because I use XACML externally.