Thursday, March 31, 2011

asp.net mvc user permissions and views

it seems there are 2 options when dealing with security permissions for views in mvc:

  1. either handle the permissions control logic in the controller and direct the user to the appropriate view...
  2. Or implement some form of security-aware HtmlHelper extensions that render (or not) appropriate form fields/data

am i missing any other options here? the first seems ridiculously un-DRY and the second seems to contradict the definition of a view...

so my question is: is there a better way?

From stackoverflow
  • I disagree with the idea that (2) contradicts the idea of a view. Rendering or not rendering a particular component of a view dependent on data received from the controller seems perfectly appropriate to me. Whether you choose to require the data to be in the model or if it can be used from other server resources depends, I think, on how pedantic you want to be. I choose rather to be pragmatic and simply use what is provided rather than fabricate a new model just to hold role-related information so in some circumstances (link my menu control) I simply do the role checking in the view logic.

    It's important to remember that MVC is a pattern -- not a dictum. Where the pattern seems to work against you, it's okay to bend it a little. Likewise, DRY is a principle not a law. If it seems best to repeat a little code to accomplish a purpose better, go ahead and repeat it. Understand that you're creating maintenance issues for yourself, but don't let rigid adherence to a principle keep you from doing the "right thing."

    E Rolnicki : it seems to me you would use either/or/both methods...would it not be better to go with a convention and choose 1?
    tvanfosson : That would mean having a separate view for each potential role combination and that seems like too much of a violation of DRY waiting to happen. I prefer to handle it case by case and usually resort to (2) over (1). I can think of only one instance where I've done (1).
    E Rolnicki : -clarification: i meant "choose one" ...not in the literal sense "choose number 1"
    tvanfosson : I see, but I do have two examples -- my main menu where differences are due to roles and a content difference where the content changes depending on whether there is a relationship between two entities or the person viewing the first entity is an administrator -- that want to be handled using each.

0 comments:

Post a Comment