Last year I wrote a post on how to add field level security in your ASP.NET MVC application. When testing the solution it turned out that the performance was unacceptable. The reason for this is that we need to check the permissions for every control on a create or edit page. For some of our entities we have rather big edit pages with more than 20 controls. So we needed to come up with another solution. I sat together with a colleague and together we came up with the following.
Since most of the time an edit or a create page contains properties of a single entity and maybe some related entities we thought it would be better to get the permissions of all fields of an entity in one go and store them somewhere for the lifetime of a request.
That's why we now have a "SecurityService" that keeps a dictionary of "AccessRights" like this:
When getting the rights we first check whether we do not already have them and otherwise we go and get them:
The secured textbox extension method has been changed. It now uses the "SecurityService".
It is however a local variable, so you must be wondering how it is possible that the securityservice still keeps state between calls to SecuredTextBox within the same request. There we have Windsor to help us. There is a "PerWebRequest" lifestyle that you can use so that your components are only created once per http request. So we just configured our "SecurityService" in Binsor as follows and we're done.