Simplemembership Filter User Access to pages where roles don't apply (ASP.NET MVC 4)

Question

I'm new to Authorization and Autentication, but I recently started using Simplemembership on my college project. I managed to get it running. My problem is, I'm not exactly sure how to approach a certain issue.

There's a Projects Area and inside Controllers that lead to a few different pages. All users can access the Projects Area and the pages within it, but they should only be able to access and alter the pages/contents related to the "projects" they're part of. It's not a role issue.

I wish to know a simple way to create a filter the restrict the acess according to their dependencies, so the user won't just type the an "id" in the url and see stuff that belongs to another group. Preferably without having to customize the provider since it's not the focus of my applicaion.

I'm using MVC 4 with C#, and EF 5.

Answer 1

You have two options:

Firstly, you could forget writing a custom authorization attribute and just do the checks inside your action method. However, writing a custom authorize attribute is not that hard and should work for your scenario. I wrote one that was based on specific permissions rather than roles, for example.

Something like this should work for you:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorize : AuthorizeAttribute
{
    private int project_id;

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (base.AuthorizeCore(httpContext)) {
            if (YourCurrentUserObject.IsPartofProject(project_id)) {
                return true;
            }
        }

        return false;
    }

    protected override void OnAuthorization(AuthorizationContext filterContext) 
    {
        //get the "project id" parameter from your action method
        project_id = Convert.ToInt32(filterContext.RouteData.Values.SingleOrDefault(x => x.Key == "project_id").Value);

        base.OnAuthorization(filterContext);
    } 
}

Answer 2

One solution is to have a table that maps the relationship between users and projects. You most likely already have such a table. I am not familiar with your application domain, but I assume that we are talking about a many-to-many relationship, where a user can have many projects and projects can have many users. If you use the same ID for the user that is used by SimpleMembership this will be very straight forward. In the action for the controller that returns the project information based on a project ID passed in the URL, first check that the user is authenticated by calling WebSecurity.IsAuthenticated . If they are not authenticated redirect to the log in page. Then in your query to return the project information join to the table that maps users to projects and make sure that the current user is part of the project being requested. You can get the current user ID by calling WebSecurity.CurrentUserId .