The system uses a combination of a session persister class and cookies to manage authentication and authorization.
Authentication is forms based with the data kept in the database
We use a static class called SessionPersister to manage the persistance of the user after they have entered the site.
Upon arrival they are recognized with an encrypted cookie or required to sign in.
Authorization
We keep track of their user type in the user record and SessionPersister.
This differentiates them between a contractor, company admin, pharmacy manager
All Controllers derive from our custom controller which extends the base controller class.
In the constructor of the SecureController we piggyback on the FormsAuthentication to assign roles.
In this way we can use the [Authorize(Roles = "Admin")] decoration on our ActionResults to restrict access.
Roles
Roles are how we will manage the access to various parts of the site.
Initially we will have 5 roles:
Contractor - Pharmacy labor resource
Pharmacist - Person who manages a single pharmacy (deprecated, was confusing)
Admin - Account for managing a company and its respective pharmacies.
Company_Admin - Sets up and administers a company, pharmacies and creates pharmacy manager accounts
Pharmacy_Manager - person who manages a single pharmacy
Roles are managed by a tool in .NET
With the ASP.NET configuration section we can add or edit roles.
Access to pages in the is then controlled with a simple attribute in the controller
[Authorize(Roles = "Pharmacist,Admin")]
Security Model manages the session information using cookies with built in encoding.
Only pure admins will see the admin tab
A root admin is created when the system is initialized. This admin is responsible for creating companies and other admins
The username and password are 'root' and 'Eti1'