Hi everyone!

I'm having a huge problem in understanding Membership with MVC. We have in our project controllers named "Admin" and "SuperAdmin" and they are restricted to some users.

Do I have to use the Authorize Roles attribute on each Action or can I use a ActionFilter to check if an user can view a certain page?

And if I have to user Roles attribute, do I have to configure each user on the ASP.NET Configuration tool? For example, "SuperAdmin" will be only a few users (around 3 at top), making easy to use ASP.NET Configuration tool and tells it who these users are. But "Admin" users will be many more... how can I configure them?

I'm totally lost!

I need a great clarifying on that!

Thanks a lot!!!

 the Authorize attribute by default will just check that the role is allowed to perform the action at all, regardless of the parameters applied to the action.  You can put it on the controller class if you want to secure all actions using the same rules.

You can write your own authorization attribute(s) if you like, the recommended practice is to inherit from the Authorize attribute and add any logic you like by overriding the AuthorizeCore method as given in an example here: http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx

There's no out-of-the-box user admin capability other than the tool you're referring to, but you can add that functionality in if you like, the Membership API is pretty well documented (it's the same as for classic webforms, just the UI changes).  You could also write your own code here to, for example, take in an xml or excel file and create the accounts in a bulk fashion.

http://www.4guysfromrolla.com/articles/120705-1.aspx  is a good write-up of all things Membership in ASP.Net 2.0; with the exception of the controls (e.g. <asp:Login />) most of the info there is still current.

If you're running an Active Directory environment, you could also elect to use Windows authentication w/ the ActiveDirectory providers; that'd be a change in your configuration file (web.config) to enable the other provider.

If you're using the included SQL providers, then you could choose to do bulk operations on the db using the various stored procedures that they included, if you prefer that over the configuration tool; that's not too hard, either, if you're more comfortable w/ sql.

 But, let's suppose I don't want to use Membership and want to restrict user's access with ActionFilter.

I know I can create a filter/attribute and override the OnActionExecuting method and further I can put this attribute in a ActionResult.

And let's assume that I have a table named 'tbUsers', it has also an int field named 'certificate' and depending on this 'certificate' value, an user can access an ActionResult or not.

But, how can I, in a OnActionExecuting mehod, check this user's 'certificate' value and grant his access or redirect to a 'NotAllowed.aspx' page?

Thanks!!! 

 You would still want to override the AuthorizeAttribute as described above, just put whatever your logic is in when  you overrride.