Basically, writing your own authorization attribute. For example:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class MeuAuthorize : AuthorizeAttribute
{
private String[] _permissoes;
private MeuProjetoContext contexto = new MeuProjetoContext();
public CustomAuthorizeAttribute(params String[] permissoes)
{
_permissoes = permissoes;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var baseReturn = base.AuthorizeCore(httpContext);
var permissoesReturn = false;
var permissoesUsuario = contexto.Permissoes.Where(p => p.Usuario.Nome == httpContext.User.Identity.Name).Select(p => NomePermissao).ToList();
permissoesReturn = permissoesUsuario.Intersect(_permissoes.OfType<String>().ToList()).Any();
return permissionsReturn || baseReturn;
}
}
Usage:
[MeuAuthorize("Usuário", "Gerente", "Administrador")]
public ActionResult MinhaAction() { ... }
Can be used without parameters, just to check if it is logged in:
[MeuAuthorize]
public ActionResult MinhaAction() { ... }