Currently, I have an employee management system for a certain branch with many functions such as CRUD, export/import of excel files, etc. Now I want to expand it, bringing this system to other branches so that they can use the existing functions with the requirement that employee data between branches will not affect each other even if they are used together same 1 database server.
I have set up a user login authentication cookie, using the Role of Full Admin, who will create accounts for Branch Admins with full system rights and Users with limited rights.
The plan I propose is to use a Branch table and put the Branch Id value into Branch Admins as well as Users when creating accounts for them and that ChiNhanhId value will also be included in data tables such as Employees, Orders. Position, Title, etc. so that when anyone logs into the system, I will put that ChiNhanhId in the session and compare it with the branch ID and the data, if it matches, data will be displayed and they can do anything with it.
However, when it comes to the step of comparing and displaying, I have difficulty comparing and displaying afterwards.
I created a class to compare the ChiNhanhId from the session with the ChiNhanhId in the data:
public class CustomAuthorizeWithChiNhanhAttribute : AuthorizeAttribute
{
private Db db = new Db();
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var user = httpContext.User;
// Kiểm tra xem user đã đăng nhập chưa
if (!user.Identity.IsAuthenticated)
{
System.Diagnostics.Debug.WriteLine("[CustomAuthorizeWithChiNhanh] User chưa đăng nhập.");
return false;
}
// Lấy ChiNhanhId từ Session
var chiNhanhId = httpContext.Session["ChiNhanhId"] as int?;
System.Diagnostics.Debug.WriteLine($"[CustomAuthorizeWithChiNhanh] ChiNhanhId từ Session: {chiNhanhId}");
if (chiNhanhId == null || chiNhanhId <= 0)
{
System.Diagnostics.Debug.WriteLine("[CustomAuthorizeWithChiNhanh] ChiNhanhId không hợp lệ.");
return false;
}
// Kiểm tra ChiNhanhId có hợp lệ trong cơ sở dữ liệu
var nhanVien = db.NhanViens.SingleOrDefault(nv => nv.ChiNhanhId == chiNhanhId);
if (nhanVien == null)
{
System.Diagnostics.Debug.WriteLine("[CustomAuthorizeWithChiNhanh] Không tìm thấy nhân viên tương ứng với ChiNhanhId.");
return false;
}
System.Diagnostics.Debug.WriteLine("[CustomAuthorizeWithChiNhanh] User có quyền truy cập.");
return true;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// Chuyển hướng đến trang đăng nhập nếu không có quyền truy cập
System.Diagnostics.Debug.WriteLine("[CustomAuthorizeWithChiNhanh] Chuyển hướng người dùng đến trang đăng nhập.");
filterContext.Result = new RedirectToRouteResult(
new System.Web.Routing.RouteValueDictionary
{
{ "controller", "Home" },
{ "action", "DangNhap" }
}
);
}
}
Then I use it on the controllers with the aim of avoiding rewriting the entire code because it's a lot: [CustomAuthorizeWithChiNhanh]
Note: ChiNhanhId = BranchID
The question is how can I check if the ChiNhanhId from the user matches the ChiNhanhId in the data? If it matches, it will display the data and perform functional operations, otherwise it will not be displayed and cannot perform any functions because the data is not there.
I'm sorry because I'm not good at English at all so I have to use google translate so there may be errors in the sentences.
