R – ASP.Net membership and Roles Managment

asp.netasp.net-membership

looking for some feedback on the built in membership and roles management for ASP.Net 2.0.

Do many people use it?
What is good and/or bad about it?
Can I assign multiple roles to a single user?
What is the alternative norm for .Net apps?

I personally like the idea of having defined permissions or actions to a role. Seems like if I could only assign a single role to a user and I wanted roles to inherit permissions from each other it would be a huge headache to manage using teh built in membership manager.

If I had the following roles..

Publisher
Editor
Member

and I wanted the Editor to have some the permissions that the Publisher and the Member had plus some of it's own, in my code It would be harder to determine if the current user can edit something rather than just have a list of permissions pulled in by a role and just checking to see if "Edit Article" is in the list.

Best Answer

The built-in membership provider is very easy to use, and it's fairly secure. I've used several versions of it in different projects. The great thing about it is that if it doesn't do EXACTLY what you need it to do, you can always just extend it. The built-in Identity object has roles, they're easy to access, store, compare against.

If you're using .Net and you need a fast, prepackaged, reasonably secure authentication source, you can't really go wrong with the built-in membership provider. If you need more security, just take what they give you and make it a little more hard-core. It's even fairly easy to integrate the existing membership authentication with an LDAP store if you have one.

Related Solutions

R – ASP.NET Membership & GridViews

Handle the "RowDataBound" event for your gridview, and inside your event handler, check the user's credentials and set the appropriate visibility on your buttons.

void MyGridView_RowDataBound(Object sender, GridViewRowEventArgs e)
{  
    if(e.Row.RowType == DataControlRowType.DataRow)
    {
      // Check user credentials and set button visibility
      e.Row.Cells[x].Controls[y].Visible = true; //or false
    }
}

Asp.net-mvc – How to best handle permissions (not roles) in asp.net membership, specifically in ASP.NET MVC

I think you should forget about roles on the authorization mechanism, ask for permissions instead (at the end a role is an agrupation of permissions), so if you look it that way, your Authorize Attribute should ask for an entity and action, not for a particular role. Something like:

[Authorize(Entities.Message, Actions.Create)]
public ActionResult CreateMessage()

[Authorize(Entities.Message, Actions.Edit)]
public ActionResult EditMessage()

[Authorize(Entities.Message, Actions.View)]
public ActionResult ViewMessage()

That way your roles do what they do best, abstract permissions collection instead of determining a inflexible way of access level.

EDIT: To handle specific rules like the one pointed by David Robbins, Manager A is not allowed to delete messages created by Manager B, assuming they both have the required permission to access this Controller Action, the Authorize is not responsible to check this type of rules, and even if you try to check that at Action Filter level it will be a pain, so what you can do is extend the Authorize validation to the ActionResult (injecting an action parameter holding the validation result), and let the ActionResult make the logic decision there with all the arguments in place.

This is a similar question, is not exactly the case pointed out here, but its a good starting point on extending the Authorize validation with Action Parameters.

Best Answer

Related Solutions

R – ASP.NET Membership & GridViews

Asp.net-mvc – How to best handle permissions (not roles) in asp.net membership, specifically in ASP.NET MVC

Related Topic