I have a web application written in asp.net mvc with fluent nhibernate.
Data hierarchy: Post -> Category ->
CompanyUser roles : user, admin
I try to find a architecture to develop custom authorization. A user can be member of multiple company. Also a user can be an admin of a company while he can be also just member of another company.
Also we want develop a custom authorization based on controller, action or id of action. For example a user can be admin of just one category.
Namely; in our future system there will be users, user groups in which users and groups is belong to a company. While custom authorization will be applied to them based on url (contoller/action/id).
any recommendation, useful links etc?
This is a bit tricky actually – you may want to rethink the custom authorization and consider populating the roles in say Application_AuthenticateRequest, and then use the [Authorize] attribute to do the actual checks if the user belongs to those roles.This way you are applying it directly to the action method and avoiding a custom mess but achieving basically the same result.
we are having a similar discussion not yet resolved at:
Questions about a Custom Security setup for MVC3 using overridden AuthorizeAttribute, thread safety, ChildActions and caching