ASP.NET MVC How to manage user content using ASP.NET Membership Provider
Asked Answered
B

2

6

I come from 5 years of experience with ASP.NET Web Forms, and I'm new to ASP.NET MVC. I'm now trying to learn MVC with some tutorials, video tutorials, and books.
I'm using Visual Studio 2012 and the brand new ASP.NET MVC 4 to build a little web application to manage my portfolio of mutual funds. This should let me get inside the new pattern and learn lots of new things...
My application should also let some other friends to do the same. So it has to manage different users' portfolios.
I've built a little DB with Entity Framework Code First, so I have some basic models: Fund, Portfolio, Share, Deposit, Source and User. One user can have many portfolios with many funds inside of them. Each user has their own deposits list. Each fund has many share values (one/day).
The Source model is simply a table where I put one URL for every website source for the share data of a specific fund. So, one fund has many sources. I then use a scraper class to get data from those websites once a day.
This is the main structure of the application. Now, I need to know what would be the best way to:

1) Manage a user's account.
Should I integrate the ASP.NET Membership DB structure on my DB and use it instead of my custom User table to manage users?

2) Manage user content: portfolios, funds, etc.
What is the easiest and most elegant way in the MVC pattern, to implement authentication and all the authorization validations to make the user getting his own data? Do I need to check this inside every action on every controller?

So, in other words, how do I have to implement my controllers? E.g.:

[Authorize]
public class PortfolioController : Controller
{
    private FundMonitorContext db = new FundMonitorContext();

    public ActionResult Index()
    {
        // Check user ID and give back to the view only his portfolios...

        var portfolio = db.Portfolios.List();
        return View(portfolio.ToList());
    }

    ...

    public ActionResult Details(int id = 0)
    {
        ...
    }

    //Other actions...
}

I would really appreciate every suggestion!

Birchfield answered 17/9, 2012 at 11:57 Comment(2)
checkout simplemembershipprovider weblogs.asp.net/jgalloway/archive/2012/08/29/…, it is a more flexible version of the membership providers provided by microsoftAftonag
Pretty interesting. I'll give it a try... I'm new to ASP.NET Membership Providers too, since I've developed most of my applications using Oracle DB and custom Users and Profiles tables.Birchfield
P
0
  1. It's a choice you have to make yourself but I like to create my own Membership Provider, and it is not that hard. With your own provider you can make it in your own way, not like what Microsoft thought was cool 10 years ago. Example: http://www.codeproject.com/Articles/165159/Custom-Membership-Providers.
    In .NET 4.5 it is even more easier with SimpleMembershipProvider to create your own provider.

  2. With the [Authorize] attribute you are telling the controller that only autorized user will be accepted. When a user signs in you can put the username/userid in the FormsAuthentication cookie, so you can very easy get the users username/userid. You can also create Authtication ticktes in the cookie if you want to put more data in it.

    To make it easier to test I hardly recommend to create a binding between HttpContext.User and IPrincipal, http://www.hanselman.com/blog/IPrincipalUserModelBinderInASPNETMVCForEasierTesting.aspx.

Para answered 17/9, 2012 at 13:27 Comment(2)
I already read something about implementation of custom Membership Providers, but I thought that my implementation would be not so different from the ASP.NET integrated one... Maybe I'll change the hashing function from the old SHA1 default with some more reliable SHA256 or SHA512. Which could be other advantages in my scenario?Birchfield
I think you will got a lot of entities in your DB that you are not gonna use. And the biggest lost is that you can't make any configuration, but on the other side you save some time when you already got something that is okay.But if you think the standard provider will satisfy your needs why not use it.Para
V
0

Use Identity 2.0 for authentication and authorization. i found this blog http://typecastexception.com/post/2014/04/20/ASPNET-MVC-and-Identity-20-Understanding-the-Basics.aspx quite helpful. Basically, you'll get claims based auth and can then decorate your actions with the AuthorizeAttribute such as

[Authorize(Roles="Admin, Moderators")]
public ActionResult MyAction(...)

and you can look at the claims via the User.Identity property in the controller.

Vita answered 19/5, 2015 at 4:7 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.