Home/ Questions/Q 8976853
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T19:14:23+00:00

I’m using ASP.NET/MVC and need to add some security measures to the ActionResult/ViewResult controller

  • 0

I’m using ASP.NET/MVC and need to add some security measures to the ActionResult/ViewResult controller methods. Basically I need to make sure the user is associated with the same organisation associated with the page, what level of access they have and redirect them if required.

I would typically use attributes for this but need to use some business logic to determine where to return view/redirect, and I need to initialise a non constant user defined object with a query string value before doing it. I want to centralise the logic by maybe using a helper class (open to suggestions) but I’m not sure how to access the context/make the redirect from the helper class.

E.g., page action is like…

public ActionResult Index(string id)
{
            Models.Bucket bucket = new Bucket();
            InitBucket(bucket, id);

            SecurityHelper.UserOrganisationMatchesObjectOrganisation(CurrentUser, bucket);
}

and in the SecurityHelper

    public static void UserOrganisationMatchesObjectOrganisation(Model.User user, Bucket bucket)
    {
       //if various logic in user and bucket occur return View("NewPage", bucket)

       //else return RedirectResult("~/yournotallowed")
    }

Only thing is you can’t redirect/return view in the helper method without context, and not sure how to pass it from the controller to the helper class or whether thats possible.

I’m sure there is a better way of doing this like using a service, or using attributes and being able to pass my initialised bucket object in.

Any suggestions welcome!

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I might be missing something here, but isn’t it just a case of returning an ActionResult from your UserOrganisationMatchesObjectOrganisation method? I would perhaps change the name of it so it’s a bit more obvious what the method is going to do e.g.

    public static class Security
{
    public static ActionResult GetActionResultForUser(Model.User user, Bucket bucket)
    {
        //if various logic in user and bucket occur return View("NewPage", bucket)
        //else return RedirectResult("~/yournotallowed")    
    }   
}

...
public ActionResult Index(string id)
{
    Models.Bucket bucket = new Bucket();
    InitBucket(bucket, id);
    return Security.GetActionResultForUser(CurrentUser, bucket);
}

    Another approach could be to introduce a Service class which could return some sort of state (or throw an exception) which you could then use to determine which view to return e.g.

    private BucketService _bucketService = new BucketService();
...

public ActionResult Index(string id)
{
    try
    {
        var bucket = _bucketService.GetBucketForUser(CurrentUser, id);
        return View("NewPage", bucket);
    }
    catch (InsufficientPriviledgesException)
    {
        return RedirectResult("~/yournotallowed");
    }
}

    The benefit of this approach as it keeps a clean separation between your business & presentation logic.

    • 0