I am developing a single-page application. The page has a toolbar. When the user clicks on any button, it visually creates a tab, and triggers an ajax request to the required controller.
Now two things: firstly, the user always has to be authenticated, and secondly, not every user has access to each functionality.
In the first draft of this application, I didn’t have much time to think about it, and I wrote a Javascript function whose body mainly was a Switch structure calling the right controller based on which button was clicked.
I’m no web developer, but I feel this solution is bad for at least three reasons:
- The most obvious: I have one more file to modify if I change or add some controller.
- This reveals the URL of all the existing controllers to anyone that reads the code of the page.
- I have to do the same security checks in every controller.
I imagined the following scenario… what if, after authentication, I only had one controller that checks if the requested functionality is available for the connected user, and only then calls the right code (controller? simple class?) and return the result of this code. This code would never be accessible from outside, only internally.
Am I just confused with MVC and the SPA pattern?
4
If implemented correctly, then MVC can certainly meet your needs.
How are you doing the authentication? If you are using the built in MVC functionality, then all you need to do is add an [Authorize] attribute to either each controller, or each method. All code for validation is then taken care of.
Additionally, you can create a BaseController, from which every controller then inherits. This can then be used to avoid repetitive code, such as setting up common variables, providing custom authentication, etc.
See this question for a good example of a BaseController, and a discussion on using them.
Without knowing too much about your project I would suggest a generic solution for this type of problems. /Note this might not be best in all cases/
Since you said authentication is done in every case it can obviously be done separately to avoid code duplication and complexity.
After authentication based on the users rights you generate a temporary code.
Then you separately store the value of the button which was clicked.
Now you have two numbers (codes): your user rights and the button clicked => a classical case of a 2D lookup table. Where the two codes meet you have a function call (or whatever it is you want to do).
BTW: If you have large switch-cases or if-statements those can pretty much always be replaced with a lookup table, which is much more efficient. In your case that could just be a 2D array.
Pseudo-code:
FunctionalityTable[][] =
{
{event1(), notAllowed(), notAllowed()},
{event2(), event2(), notAllowed()},
...
};
int rights = authenitcate().toInt();
int option = getButtonPressed().toInt();
FunctionalityTable[rights][option];
Your controller is simply feeding data to your website. How it is presented is entirely up to you, be it a SPA or whatever else you want to use. In that sense you are more than welcome to use MVC because how your view is structured is independent from the underlying design of using a controller.
The switch structure that determines which controller to call based on which button was clicked sounds like it belongs in the routing engine. Each button should form a URI request that is submitted to the web server. The web server then uses its routing information to call the underlying Controller and Method based on that configuration. Of course each new button will do new things, and as such will require a new controller method.
How you want to logically structure your controllers is up to you. With ASP.NET MVC you can dictate authorization at a Controller level or a Method level. You could create a single controller and use the Authorize attributes at the method level. You could create different controllers based on authorization levels (IE if you have a User and Admin area) and control authorization at the controller level. Once you have access to the controller, you will have access to all of its methods.
Take a look at http://www.asp.net/mvc/overview/security and see if you can find some more information that leads you to the right answer for your specific problem.