How to do authorization for individual objects in ASP.NET?

Question

User1005437588 posted

For example in a words learning app I want to allow a user to learn only his words, i.e. there is a property that refers to UserId.

Or I want to assign Admin for particular company that will be able to do some actions regarding it, for example edit data. 

What is the proper way of dealing with these things?

Answer 1

User-271186128 posted

Hi Alex71938,

For example in a words learning app I want to allow a user to learn only his words, i.e. there is a property that refers to UserId.

You can create a UserWords table, in this table you can add the WordId and the UserId property, when user learn a word, you can insert a record in this table. Then, you can find his words via the UserId property.

I want to assign Admin for particular company that will be able to do some actions regarding it, for example edit data. 

From your description, it seems that you want to add roles and implement Role Based Authorization. If that is the case, I suggest you could refer to the following articles:

http://www.asp.net/web-forms/overview/older-versions-security/roles/role-based-authorization-cs

http://www.aspsnippets.com/Articles/Implement-Role-based-security-using-Forms-Authentication-in-ASPNet.aspx

http://www.codeproject.com/Articles/2905/Role-based-Security-with-Forms-Authentication

If your application is a MVC application, you can check the following articles:

http://www.dotnetcurry.com/aspnet-mvc/1102/aspnet-mvc-role-based-security

http://johnatten.com/2014/06/22/asp-net-identity-2-0-customizing-users-and-roles/

Best regards,
Dillion

Answer 2

User1005437588 posted

all these links don't address item-based security. How do i decide that a user is authorized to edit particular item? 

I know how to do it using custom logic, i.e. just  check what i need in the controller's method

I am using AuthorizeAttribute, but i want to know better solutions. 

Answer 3

User-271186128 posted

Hi Alex71938,

How do i decide that a user is authorized to edit particular item? 

You can add roles to the User, then, according the role to authorize.

If you want to use User-Based Authorization, you can refer to this article:

http://www.asp.net/web-forms/overview/older-versions-security/membership/user-based-authorization-cs

Best regards,
Dillion

Answer 4

User1005437588 posted

but how do I bind Admin to a particular item? Should I write two pieces of code?

Answer 5

User-271186128 posted

Hi Alex71938,

You can refer to the following link to give allow access to particular page to a person or roles.

http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config

As for the user, you can use userManager.AddToRole method to add user admin to Role Admin.

http://www.codeproject.com/Articles/790720/ASP-NET-Identity-Customizing-Users-and-Roles

Best regards,
Dillion

Answer 6

User753101303 posted

Hi,

It is still a bit unclear but it seems to me you just want to have a field for each word that tells the company to which its belong or the user that learn this word. Then you can select data in your controlllers having each admin/user working on his own stuff.

The fact that the role is "Admin" allows to do certain operation and the controller will select only data that are owned by this particular admin user.