I tend to create a couple of IsInRole overloads (or utility methods if are using a sealed IIdentity & IPrincipal) to help...
usually bool IsInRoleAll(roles string()) bool IsInRoleAny(roles string()) -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] Behalf Of Paul Cowan Sent: Wednesday, November 21, 2007 4:33 AM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Code review That is a good point about the ordering of roles. That is definitely flaky. But I will still be left with the inline if statements. Can I somehow abstract them away from the [EMAIL PROTECTED] > Date: Wed, 21 Nov 2007 09:49:15 +0100> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] Code review> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > > I am writing an ASP.NET application that is heavily influenced by users and> > roles. I am finding my code becoming increasing cluttered with the> following> > type of thing:> > IList<BusinessFunction> businessFunctions;> > if (CurrentUser.RoleIsAbove(Role.BusinessUnitAdmin))> > {> > if (CurrentUser.IsSystemAdmin)> > businessFunctions => CommonService.GetAll<BusinessFunction>("Deleted");> > else> > businessFunctions => CommonService.GetAll<BusinessFunction>("Deleted",> > false);> > }> > The things I am unhappy about seeing is, CurrentUser.RoleIsAbove etc.> > It is making the code messy.> > I would like a way of somehow abstracting this security outside of the> > method.Can anyone think how I could raise the abstraction level somehow.> > I could use custom attributes perhaps but I have 2 if staements checking> user> > roles.> > Can this be tidied up?> > I'm not a fan of specifying access levels in 'above' or 'at least> have' role ABC. A given action requires a given action right AR. So if a role> R has that action right AR assigned to it, anyone who has that role assigned> to him/her can perform AR.> > You then have to assign actions with action rights. You can then> abstract that away like:> if(SecurityManager.CanPerformAction(ActionRights.GetDeletedCustomers, user))> {> // get deleted customers> }> > The advantage of this is that in your system, you have to take notion> of the order of the roles. That's not really good, because if you make a> mistake by adding a new role at the wrong spot, it can open up your security> at places in your application you won't be aware of.> > Roles aren't meant for that. Roles are effectively groups of action> rights you can assign to a user, by assigning the role to a user.> > FB> > ===================================> This list is hosted by DevelopMentor® http://www.develop.com> > View archives and manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ Celeb spotting – Play CelebMashup and win cool prizes https://www.celebmashup.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
