Udostępnij za pośrednictwem


Musings: Best Way to Provide an Appropriate View

As I have been writing the code and web pages, one dilemma I have come across has been how to provide the appropriate view by role.  For example, a member record contains a number of fields (like address) that the member should be allowed to update, while there are other fields (like date of joining) that only committee members should be able to update.  How best to handle this.  There are many options I can see:

  • A different view for each role:  but this adds duplicate code that might need to be maintained.
  • Controls on what fields can be updated within the controller:  I can’t find this quickly but you can specify which fields can be updated by which roles.  The downside of this is presenting a field a user “thinks” they can edit and then issuing them a validation error message when they can’t, which doesn’t seem appealing to me.
  • Writing “which user” logic into the view, which is tag soup.  See the example at the bottom for what I mean here.

I quickly read this article: https://msdn.microsoft.com/en-us/magazine/dd942822.aspx but probably didn’t spend enough time to fully comprehend this.  Right now, my bottom line is that I probably need a comprehensive re-think on my security model, but for now will deploy what I have, even if it isn’t so maintainable.

Example
 <tr>
<td>Date</td>
<% if (Context.User.IsInRole("webmaster")) { %>
<td><%= Html.TextBoxFor(model => model.Date) %><%= Html.ValidationMessageFor(model => model.Date) %></td>
<% } else { %>
<td><%= Html.Encode(Model.Date) %></td>
<% } %>
</tr>