How to do security by profile with Asp.Net MVC?

1

I'm creating a system using Asp.Net MVC and before I start I need to do profile-based security. I will have several profiles each with an access option. For example: Administrator Profile (access all), Common Profile (restricted access), Advanced Profile (some administrative access), etc.

I thought about creating the profile and creating the modules (methods or controllers) for the profile and through a boolean true / false give permissions to the profile and then put the profile to the user, this in my view would be the simplest way do. However, I do not know how to do this by checking if the method / controller is allowed or not by the profile to gain access, for example, to write down an account that would be only the Administrator profile that could be made, or as a sale down that the Profile Advanced could also work with the Administrator.

How to do this? What do you suggest?

    
asked by anonymous 02.09.2017 / 20:00

1 answer

2

Thinking about a very simple solution you could use Filter of ASP.NET.

Database

You can have 3 tables, one of users, another of profile, and another user profile.

Controller

You will annotate your classes or methods with the name of the filter, here you will tell which profiles will have access to the class.

[PerfilFiltro(Perfil = "Vendas")]

Class filter

In the filter class, you will have access to the database to verify that the user in question has the profile to access the class.

public class PerfilFiltro : ActionFilterAttribute { 
     public override void OnActionExecuting(ActionExecutingContext filterContext)
     {
        if (!filterContext.ActionParameters.ContainsKey(Perfil))
        {
            string Usuario = filterContext.HttpContext.Session["NomeUsuario"].ToString();

            // o parâmetro Perfil é o perfil anotado na classe

            // use sua logica para buscar o perfil vinculado a este usuario
            // caso ele não tenha acesso você pode redireciona-lo para uma 
            // pagina de erro/ou sem permissão.
        }
     }   
}
    
15.09.2017 / 21:08