Home/ Questions/Q 8565943
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T17:32:40+00:00

I have the following structure in my DB: DomainEntities: +EntityID +Name +ParentID +… Users:

  • 0

I have the following structure in my DB:

DomainEntities:
 +EntityID
 +Name
 +ParentID
 +...

Users:
 +UserID
 +Username
 +...

Roles:
 +RoleID
 +Name

UserRolesAssociation:
 +RoleID
 +UserID
 +EntityID

So i want to use MVC’s built in authorization attribute to filter action in my controllers that are made by different members.

I what to be able to say if user1 makes a delete action on entity1 or any entity under it i can see if he has the right role to do that and filter the action accordingly.

What would be the best practice to tackle that topic ?
Should i create my own permissions engine that will provide me the answers i need or can i use the existing capabilities ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What would be the best practice to tackle that topic ?

    A custom [Authorize] seems like a good place to implement this logic.

    public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authorized = base.AuthorizeCore(httpContext);
        if (!authorized)
        {
            // the use ris not authenticated or not authorized - no need to continue
            return false;
        }

        string username = httpContext.User.Identity.Name;
        // read the entity id that this user is attempting to manipulate
        string entityId = (string)httpContext.Request.RequestContext.RouteData.Values["id"] ?? httpContext.Request["id"];

        return IsAllowed(username, entityId);
    }

    private bool IsAllowed(string username, string entityId)
    {
        // You know what to do here - hit the database and check whether
        // the current user is the owner of the entity
        throw new NotImplementedException();
    }
}

    and then:

    [HttpDelete]
[MyAuthorize]
public ActionResult Delete(int id)
{
    ...
}
    • 0