In my previous post in this series, I determined that I had to start looking into how MVC handles access control before moving forward. I came up with a list of functional specifications that I needed to write proof of concept code right away to learn how ASP.Net MVC helps (or hinders) me in implementing access control. In this post, I’ll look at the first 2 specifications:
- Authenticate individual users and mange their credentials (i.e. a MembershipProvider)
- Manage access to functionality based on membership (i.e. a MembershipProvider)
I know that in MVC, controlling access to controller actions (and thereby the associated views) is done via a specific type of ActionFilter called an AuthorizationFilter. Also, the ASP.Net MVC Web Application template includes code that shows how to use an ASP.Net membership provider to enable user registration and login. So, a quick test that will tell me if the built-in AuthorizationFilter will be able to meet the first 2 functional specifications above is to add an authorization filter to the Add action of the Workouts controller so that only users that have logged in will be able to add a workout.
I do this by changing the attribute for the Add method from:
AcceptVerbs(HttpVerbs.Get)
to:
AcceptVerbs(HttpVerbs.Get), Authorize()
Now when trying to add a workout, a user is redirected to the login page. After registering and logging in the user is now able to add workouts!
In the next installment I will try to convince myself that I can control access to actions based on user’s relationship to an entity (i.e. members can only delete their own workouts).
Stay tuned…