Geek asks and answers

Application Roles with Hierarchical Organization Roles

There are several sites in our business that we manage, and each of these sites has sites for which they are responsible, and so on. Thus, everything is hierarchical, since permissions apply to our software. If a person on site-X wants to edit material for site-X and any sub-site-X, they should be allowed. We also have application roles, mainly administrators, that will allow the person to edit everything and also support the application.

I am currently working on permission permissions for this application, and everything works for me, but I really hate it. Its awkward, not very verifiable and doesn't seem like its right place for my MVC application. I was hoping that someone would have some thoughts on how I could reorganize this code and make it the most important for testing, and possibly make it more convenient to use.

Thanks in advance.

    public class OuController : BaseController {
    private readonly IOrganizationUnitRepository repo;

    public OUController(IOrganizationUnitRepository repo) {
      this.repo = repo;
    }

    public ActionResult Details(string site) {

      //Get the site we are viewing
      var ou = repo.GetOuByName(site);

      //make sure the site really exists
      if (ou != null) {

        //Get all the roles for the current user via the role provider
        //will return the sites they are able to manage along with
        //any application roles they have
        var roles = ((RolePrincipal)User).GetRoles().ToList();

        //Get all the parents of the current ou, this will include itself
        var parents = repo.GetParents(ou, new List<OU>());

        //create a new viewmodel object
        //ou is used for details obviously
        //parents are used for a breadcrumb
        var model = new OrganizationalViewModel(ou, parents);

        //if a user has no roles, there is no way he can possibly edit
        if (roles.Any()) {
          if(roles.Contains(InfoRoles.Administrator.ToString())) {

            model.CanEdit = true;

          } else if(parents == null) {

            //If there are no parents, check if this ou is in users list of roles
            model.CanEdit = roles.Contains(ou.DisplayName);

          } else {

            //check to see if any of the roles i have are parents of the current ou
            model.CanEdit = parents.Any(c => roles.Contains(c.DisplayName)); 

          }

        }

        return View("Details", model);

      }

      return View("NotFound");

    }
  }
}
+3
source share
1 answer

Everything that looks like this:

((RolePrincipal)User).GetRoles().ToList()

... belongs to its own class (with an interface method such as "GetCurrentRoles"), so it can be easily ridiculed.

In addition, these are:

    //if a user has no roles, there is no way he can possibly edit
    if (roles.Any()) {
      if(roles.Contains(InfoRoles.Administrator.ToString())) {

        return true;

      } else if(parents == null) {

        //If there are no parents, check if this ou is in users list of roles
        return  roles.Contains(ou.DisplayName);

      } else {

        //check to see if any of the roles i have are parents of the current ou
        return  parents.Any(c => roles.Contains(c.DisplayName)); 

      }

... , - CanRolesEditOrganizationalView(IEnumerable<RolePrinciple> roles, ...). , :

var roles = _sessionManager.GetCurrentRoles();
...
model.Edit = _orgViewRightsUtil.CanRolesEditOrganizationalView(roles, ...);
+2

More articles:


All Articles