I know this might be subject to project setup and a few other things but was just wondering what the best practice is in my case.
I have a web app that has 3 plans: Free, Pro and Prem. On the Free plan I want to restrict the users to certain URLs.
A user can change plans, so if they stick on the Free plan then they don't see the other URLs. But if they upgrade then downgrade they may have visited some of the other URLs.
In all my controllers I have all the information I need about the user e.g the plan they're on and the URL they're trying to view.
I'm not very familiar with this sort of thing so my first thought was to control it on a URL by URL basis. E.g in my controller actions where the Free plan users can't view, do a check on what plan they're on, if its the Free plan then redirect them to a 404 page or whatever.
This is an easy enough approach but I was just wondering if there is a better way of doing it?
Sounds like you want to add an [Authorize] attribute to the controller methods that require an access level greater than your free level, e.g.:
public ActionResult ViewForAllUsers() {
return View();
}
[Authorize(Roles = "Prem, Pro")]
public ActionResult ViewForPremAndPro() {
return View();
}
[Authorize(Roles = "Pro")]
public ActionResult ViewForProOnly() {
return View();
}