Home/ Questions/Q 8302453
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T17:17:41+00:00

I want to use the following method whenever the GET or POST is called

  • 0

I want to use the following method whenever the GET or POST is called to create or edit an article page:

' userId = ID or username of the user logged in
' companyId = ID or name of the company for which the current blog is assigned
' blogId = ID or name of the blog for which the article is being written
' returnSuccessView = the view that will be returned if the user has access
' returnFailView = the view  that will be returned if the user does not have access

return View(CheckUserAccess(userId, companyId, blogId, returnSuccessView, returnFailView))

Can someone show me what this function would look like? My structure is:

Companies -> Blogs -> Articles -> Comments

I want to create permissions so only users that belong to a certain company and belong to a certain blog and have certain permissions can perform the requested task.

For instance, my user model would have an ICollection of companies to which the user can be associated with, and they can have an ICollection of blogs they can be associated with. They can also have an ICollection of permissions, such as super-user, article writer, article editor, moderator, etc.

I would create a separate model for permissions so that they can be added and removed via a UI.

The function should check whether or not the requested company, blog and permissions match that which the user is associated with (has in their ICollection).

What’s the best way to go about something like this? Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would recommend you handling this with a custom [Authorize] attribute. Let’s take an example:

    public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authorized = base.AuthorizeCore(httpContext);
        if (!authorized)
        {
            // The user is not even authenticated => we can't get much further
            return false;
        }

        // At this stage we know that there's an authneticated user
        // let's see who he is by fecthing his username
        string username = httpContext.User.Identity.Name;

        RouteData rd = httpContext.Request.RequestContext.RouteData;

        // Now, let's read the companyId and blogId parameters that he sent
        // into the request and ensure that he is not cheating on us
        string companyId = rd.Values["companyId"] as string;
        string blogId = rd.Values["blogId"] as string;

        if (string.IsNullOrEmpty(companyId) || string.IsNullOrEmpty(blogId))
        {
            // One of the required parameters were not supplied when the action was invoked
            // => we can't get much further
            return false;
        }

        return IsOwner(username, companyId, blogId);
    }

    private bool IsOwner(string username, string companyId, string blogId)
    {
        // TODO: you know what to do here: 
        // check with your data store or wherever you have stored this info
        throw new NotImplementedException();
    }
}

    Now you could decorate your controllers/actions with this attribute:

    [MyAuthorize]
public ActionResult Edit(string companyId, string blogId)
{
    // if we got that far it means that the user is authorized to edit this blog post
    // and we could allow him to see the edit view
    EditViewModel model = ...
    return View(model); 
}

    And of course to ensure that the user is not trying to cheat on you on the POST action you could also decorate it with this attribute:

    [MyAuthorize]
[HttpPost]
public ActionResult Edit(EditViewModel model)
{
    // if we got that far it means that the user is authorized to edit this blog post
    // and we could go ahead and perform the necessary update
    ....
}
    • 0