Summary: I need to authorize pages based upon the data present in the query string of a url, not just the page name.

Background:

Let’s say I’m building a library inventory system. Users can be created and assigned to a single library in either an Admin or User role. There are hundreds of competing libraries in the same database, so it’s important to ensure that users of one library cannot view inventory from another library.

Right now I’m using a pretty standard ASP.NET setup: Forms Authentication using the SqlMembershipProvider. Authorization using the SqlRoleProvider, configured via <authorization> sections in the web.config. Security trimming with the SiteMap provider to hide unauthorized pages.

To control the inventory information from leaking, I’m manually checking a user’s associate library ID with every inventory query. It works, but it’s tedious and prone to errors. There has to be a better way.

Question:

Now users have the ability to create arbitrary “collections” within a library. (e.g. Collection A has Books 1, 2, & 3 in it.) Admins want the ability to grant Admin / User access on individual collections, not just the entire library.

So, if a user goes to www.com/Book.aspx?BookId=1, the system needs to ensure that user has permissions for the collection that “Book 1” is in before showing the page. If they go to http://www.com/Reviews.aspx?ReviewId=23, I need to make sure the Review is for a book that is in a collection that they have permission to view.

1) How can I implement this in the most standard ASP.NET way possible?
Manual checking within a base page?
A custom HttpModule?
A custom Role Provider?
I’m not interested in how to store the admin/user permissions, but rather how/where to authorize based on those permissions.
(examples on how to implement any of those are appreciated)

2) To further complicate it, I’d still like security trimming to check if the user has Admin rights on any collection or library and hide the admin pages if he doesn’t.