I have been trying to implement custom security and met some problems.
Basically i need security for employees grouped up it teams, team leaders etc. (Employee is authorized to see only his data on website, TeamLead is authorized for all employees in his team and so on)
I have content and non-content types in my custom module.
For Content items i can implement custom IAuthorizationServiceEventHandler to handle custom authorization logic.
For non content items it is a bit complicated.
Generally approach is use custom AuthorizeAttribute implementation and place all code there.
For me problem here is using my database Repositories. I can't hook up Autofac Dependency Injection to the code of this Attribute implementation and so i can't retrieve user/employee data and relations and respective Team data.
I have also tried to use AuthorizationFilterAttribute from
to resolve WorkContext and use DI this way, but with this approach i don't know how to retrieve respective User Identity that is used to call action.
Attribute looks like this
[ResourceAuthorize(Level = AuthorizationLevels.OwnerOrAdministrator, Key = "id")]
public ActionResult ListByEmployee(int employeeId)
class ResourceAuthorizeAttribute : AuthorizeAttribute, IDependency
In AuthorizeCore method of attribute i need to use some custom logic to check for user roles, team etc.
Please suggest me approach for resolving this custom security issues.
Probably i should use something else not custom attributes?