I'm not sure how to implement a custom AuthorizeAttribute to do what I want.
I currently have Authorization working however it's done via SQL query joins within the web services, seems much cleaner to extend AuthorizeAttribute.
The data structure / tables are as follows:
User --> Business --> Employees --> Employee Details, Employee History, Employee Progress, etc
Users can have read and / or write access to any number of businesses and then those permissions will flow down to employees and then the employee tables.
I've created a permissions table that has userID, businessID, readAccess (true/false) and writeAccess (true/false) with appropriate keys back to the relevant tables. Currently the web services that need read access just do a join on that permission table and check if the userID has readAccess set to true for that businessID and if they need write access, the same thing only checking the writeAccess field.
I've started a class which extends AuthorizeAttribute (overriding IsAuthorized) but i'm not sure how I should be writing the logic within this class. Do I use linq to query the DB? Do I send the businessID down in a querystring or is there a better way to do this? How would I handle getting a list of BusinessID's that I have read access to - should I just leave this in the query of the GET API or is there an efficient way of handling this in the authorize class?
Tried searching the internet but haven't found a good tutorial (and it gets confusing between MVC & Web API Authroizationfilters).
Any help would be appreciated!!! Thanks.