Search code examples 4 MVC3 loose coupling roles and actions

for a project, I am making a mvc3 application. One of the features I would like to implement, is a loose coupled Role - Action attribution. Basically admin user should be a able to create roles and link them with actions.

The roles themselves being stored in a database.

I am wondering whether something in the line of the following approach would work:

//Definition of a the Attribute

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MyFlexibleAttribute : AuthorizeAttribute
    private Repository RolesRepository = new Repository();
    public  String ActionName {get; set;}   

    public MyFlexibleAttribute()
        Roles = RolesRepository.getStringRolesSeparatedByComma(ActionName)

// where in a random controller of a view, I could state

[MyFlexibleAttribute(ActionName = "SpecialAction"]
public ActionResult SpecialAction()
    return View();

What is your opinion?


*UPDATE** Hi, I've recently discovered some possible lacunas with the above design when using db context. As the lifespan of the the custom attribute is greater or equal then the lifespan of the controller, calling a new repository when instantiating the attribute, could lead to possible discrepenacies and security leaks due to the internal state of repository (if this uses for instance dbContext).

E.G. database is updated, new action for new role, but the repository is not refreshed...

So what it look like, in this context:

       public ActionTypeName  ActionTypeName {get; set;}
       private Repository repo;
       public CustomAuthorizeAction(ActionTypeName actionTypeName)
         this.ActionTypeName = actionTypeName;

     public override void OnAuthorization(AuthorizationContext filterContext)
        //instantiate new instance when calling the OnAuthorization method
        this.repo = new Repository();
        List<Role> tmp = repo.getRolesLinkedToAction(this.ActionTypeName).ToList();
        Roles = String.Join(",", tmp.Select(r => r.Name));

hope this helps


  • Yes, it will work and is the correct way to implement dynamic roles in the case where you don't want to hardcode them using strings with the standard attribute.