I come from 5 years of experience with ASP.NET Web Forms, and I'm new to ASP.NET MVC. I'm now trying to learn MVC with some tutorials, video tutorials, and books.
I'm using Visual Studio 2012 and the brand new ASP.NET MVC 4 to build a little web application to manage my portfolio of mutual funds. This should let me get inside the new pattern and learn lots of new things...
My application should also let some other friends to do the same. So it has to manage different users' portfolios.
I've built a little DB with Entity Framework Code First, so I have some basic models: Fund, Portfolio, Share, Deposit, Source and User. One user can have many portfolios with many funds inside of them. Each user has their own deposits list. Each fund has many share values (one/day).
The Source model is simply a table where I put one URL for every website source for the share data of a specific fund. So, one fund has many sources. I then use a scraper class to get data from those websites once a day.
This is the main structure of the application. Now, I need to know what would be the best way to:
1) Manage a user's account.
Should I integrate the ASP.NET Membership DB structure on my DB and use it instead of my custom User table to manage users?
2) Manage user content: portfolios, funds, etc.
What is the easiest and most elegant way in the MVC pattern, to implement authentication and all the authorization validations to make the user getting his own data? Do I need to check this inside every action on every controller?
So, in other words, how do I have to implement my controllers? E.g.:
[Authorize]
public class PortfolioController : Controller
{
private FundMonitorContext db = new FundMonitorContext();
public ActionResult Index()
{
// Check user ID and give back to the view only his portfolios...
var portfolio = db.Portfolios.List();
return View(portfolio.ToList());
}
...
public ActionResult Details(int id = 0)
{
...
}
//Other actions...
}
I would really appreciate every suggestion!
It's a choice you have to make yourself but I like to create my own Membership Provider, and it is not that hard. With your own provider you can make it in your own way, not like what Microsoft thought was cool 10 years ago. Example: http://www.codeproject.com/Articles/165159/Custom-Membership-Providers.
In .NET 4.5 it is even more easier with SimpleMembershipProvider to create your own provider.With the [Authorize] attribute you are telling the controller that only autorized user will be accepted. When a user signs in you can put the username/userid in the FormsAuthentication cookie, so you can very easy get the users username/userid. You can also create Authtication ticktes in the cookie if you want to put more data in it.
To make it easier to test I hardly recommend to create a binding between HttpContext.User and IPrincipal, http://www.hanselman.com/blog/IPrincipalUserModelBinderInASPNETMVCForEasierTesting.aspx.
Use Identity 2.0 for authentication and authorization. i found this blog http://typecastexception.com/post/2014/04/20/ASPNET-MVC-and-Identity-20-Understanding-the-Basics.aspx quite helpful. Basically, you'll get claims based auth and can then decorate your actions with the AuthorizeAttribute such as
[Authorize(Roles="Admin, Moderators")]
public ActionResult MyAction(...)
and you can look at the claims via the User.Identity property in the controller.
来源:https://stackoverflow.com/questions/12458683/asp-net-mvc-how-to-manage-user-content-using-asp-net-membership-provider