I have a MVC(4) website and I manage users with SQL-DB(on azure) and with the Identity 2.0.
I finish implement it and its work great, but there is one more demand :
The admin could freeze users and unfreeze.
The definition of freeze: the user will not be able to use the services of the website.
I thought on 3 ways to implement it:
1.Create a unique role 'Frozen' and put the specific user inside that role, and warp my services in my site with the [Authorize(Roles="some_role_other_than_Frozen")] so the user wont be able to user the services.
When the admin will unfreeze the user a pop up dialog will ask "to which role you want to assign the user?" because we put him inside a new role when we froze him.
2.Delete the user from the user table, not before we create a table for frozen users that will have every field of the original user table. and when we want to unfreeze user we just copy each of the fields from the "frozen-user-table" back to the "user-table".
I just hope it will not make problem with the hashing of password and the security stamp fields.
3.Add a binary field inside the "User" entity called "Active" 0/1 and when the user sign-in ill check that field. when the admin will freeze the user he just assign the value of 0 to this field and unfreeze is 1.
The problem with that solution is when the admin will freeze the user and assign the value of 0 to the "Active" field if the user have cookies or update security stamp(i think..) he will still be able to get in because he wont be needed to sign-in in every entrance to the site, maybe there is a way to force him to sign-in even when he marked the box "remember me".
I will describe a problematic scenario for the third solution:
1.The user log-in in 6-PM and mark the remember me check box(next time he will enter the site he wont need to log-in, the site will remember him).
2.The admin in 7-PM will freeze the user(deactivate the user account).
3.The user in 8-PM will enter the site and the site will let him in. THATS THE PROBLEM!
I wonder if somebody have a nice idea how to implement it OR a design tip for one of my solution to this challenge ?
At the end I go with option 3 its the most logical option of them all but the problem that i mention was a sagnifecnt problem i manage to solve this by custimze the auzrize attribute and add check there for the field, but this implmenation is so so, i'm still looking for the option to log out users(not me, other users).
If someone has a question i gladly answer.
stay out of trouble.