Authorization can be done based on user roles.
While creating authorization, we always keep in mind that it should dynamic. New user group will come having different permissions. So what I am suggesting is to have the information in a database.
For eg
User Group
Admin
Normal Users
Resturants
Roles
All Privileage
Basic Privilage
Intermediate Privileage
You need to use action filters to obtain this.
http://msdn.microsoft.com/en-us/library/dd410209(v=vs.100).aspx
Next we need to assign privilages to each roles
All Privileage - addUser, addResturant, etc (you can use friendly names for administrative purpose. It can be displayed in UI, but we need to store controller name and action name.In case of addUser , friendly name will be Add User and we store like below
ActionsTable (actionId, friendName, Controller, Action)
1 -Add User - Users - Add
RolesActionMapTable (roleId, actionID)
1-1
RolesTable (RoleId,Role Name,Desc)
1-AllPrivileage
GroupsTable (GroupId, GroupName)
1-Admin
GroupRoleMap (groupId, roleID)
1-1
Create a custom Autorize attriute by inheriting authorize attribute and apply it as filter for all methods. There is an overloaded function, and you can check the user is allowed to access that action there. Hence you can block the unauthorized access.
EDIT
From the route data we can identify the controller and action, so we can query db using the userID, controller and action that whether is allowed or you can get the users group and check that it was included the permission to access this
EDIT 2
public class CustomAuthorizeAttribute: AuthorizeAttribute
{
protected virtual bool AuthorizeCore(
HttpContextBase httpContext)
{
// 1.Httpcontext can gives you the controller and action
// 2. retrive the group of user and check the user is allowed to execute this action
// 3. if allowed, then return true else return false.
// 4. You can redirect to another page saying you are not allowed to access this action
}
)
}
//In controller
public class EmployeeController: Controller {
[CustomAuthorize]
public Create()
{
}
}
Hope this helps