I have a situation where I need a finer grain security within my page than
what is available with forms authentication, membership and roles.
Here is the setup.
1) I have a fictitious customer form that has the customer's name, address
and date last serviced.
2) Users in the Admin group can update every field.
3) Users in the Technician group can only update the last serviced field.
How can I implement this finer grain security?
Solution: First, I can secure my form by the authorize attribute requiring a
user to be within one of these two roles. Then, within my view, I could check
the user's role. If the user is in the Admin role, then the view will
display edit fields. If not, then the view will display an edit field for
the last serviced field and display fields for everything else.
1) Does this sound like a reasonable way to handle this?
2) Is there a better/alternate way to handle it?
3) Does this break the separation of concerns MVC offers because of the
logic in the view?
View Complete Post