To do what you are looking to do, you shouldn't control your views - you actually have to secure your controllers - not the views. You can do this via controller attributes. Something similar to this:
[Authorize]
public class MyController {
}
By doing this, you secure the entire controller. Every action within that controller will not respond if the user is not authenticated (specifically, they will receive a 401 response). You can extend this by authorizing individual users or individual roles as shown in the examples below:
[Authorize(Users="eestein,JasCav")
public class MyController {
}
[Authorize(Roles="Administrator")]
public class MyController {
}
In your case, you may not want to have an entire controller with authorization on it. Well, excellently enough, ASP.NET MVC provides action-level control of authentication. So, you can do this:
public class MyController {
public ActionResult Index() { }
[Authorize(Roles="Administrator")]
public ActionResult Admin() { }
}
Using this idea, this is where you can control what a user sees on a page. You are going to want to return partial pages from your actions so that you can load various aspects of the page. For example, you may have a view that shows some normal data and some secret data. The normal data can be returned via the normal page. The secret data should be returned as a partial view within the page. However, if a 401 occurs, you can handle it and just not show anything.
It is fairly straightforward to do. The .NET team did a great job of setting this up and you don't have to individually check permissions within your controller. I hope this helps get you started. Do a search online for more information about how to use the Authorization attribute.
Update
In the case where you have an administrator of a page who is controlling those permissions, you have to be smart about how you setup your Authorize attribute. This is where "Roles" are very important (per my examples above). For example, if the administrator says, "I'm going to add John Doe to an SpecialUser role," then John Doe user is going to be able to access all the actions in which the role is set to SpecialUser (if that is indeed a role on your system).
Obviously, you're going to have to give administrators some way of being able to do this, and the Authorize attribute does this perfectly. To see who has permissions on a page, you will have to query the database to find out who is part of what role. Here is a way to think about the setup:
- You control the Roles of the actions.
- Your administrators control who gets granted those roles.
- You can always check (via a simple query) to see who is assigned to what role. You can then (via your knowledge of the actions roles) see who sees what part of the site.
I hope this clarifies (and I hope I understood your problem well enough). I think what you are trying to do is possible.
Update 2
Yes, this does assume you have static groups on your controllers and any new group would have to be programmatically added. I'd be curious to know what kind of use case requires different permissions types to created on the fly - that seems like it would be open to abuse. In any case, I don't have a solution for this.
As for how partial views work...it's something like this...
public class ProductController : Controller
{
//
// GET: /Index/
public ActionResult Index()
{
return View();
}
public ActionResult Partial1()
{
return PartialView();
}
[Authorize]
public ActionResult Partial2()
{
return PartialView();
}
}
Inside your Index.aspx file, you'll have something like this:
<%= Html.RenderAction("Partial1") %>
<%= Html.RenderAction("Partial2") %>
If the user is not authorized you can handle the second RenderAction so the view never even shows. (You can check that within your controller.)
Hope that clarifies things! I'm on the run, so I can't expand on it more now.
