ASP.NET MVC How many levels deep should a view or URL be?

Question

I am still learning ASP.NET MVC. With webforms, I would create a new folder let\'s call it admin. In there I might have many pages for create_product, edit_product, etc. So t

Answer 1

Part of the benefit of ASP.NET MVC (and more generally, the URL Routing Engine common to all of ASP.NET in .NET 3.5 SP1) is that the URLs can be flexibly configured to map to any folder / file structure you prefer. That means it's much easier than it was in the days of WebForms to modify your URLs after you've started building your project.

To your specific questions:

• One Admin Controller vs. Product Controller - In general, the guidance is to keep controllers focused so that they are easier to test and maintain. For that reason, I would suggest using a single controller per object type (like Product) with your CRUD actions. Examples in your case:

  /admin/product/create

  /admin/product/edit/34 or /admin/product/edit/red-shoes (if name is unique)

  In either case, the Create, Edit, Deatils actions will all be in the ProductController. You may just have custom routes for the "admin actions" (like Create and Edit) that limit their usage (and add the "admin" text to the URL), and then the Details action would be usable by all visitors to your site.

• Securing Admin Views - One important fact to remember with MVC: all requests go directly to controllers, not views. That means the old "secure a directory with web.config" does not apply (usually) to MVC for securing your Admin. Instead, you should now apply security directly to the controllers. This can easily be achieved by using attributes to Controller classes like:
  • [Authorize] - Just checks that the user is logged-in
  • [Authorize(Roles = "Admin")] - Limit to specific user roles
  • [Authorize(Users = "Joe")] - Limit to specific users

You can even create a custom route for "Admin" views in your site and limit access to those views by enforcing your authorization check in the URL routing, like this:

routes.MapRoute(
  "Admin",
  "Admin/{controller}/{action}",
  new { controller = "Product", action = "Index" },
  new { authenticated= new AuthenticatedConstraint()}
);

Where AuthenticatedConstraint looks something like:

using System.Web;
using System.Web.Routing;
public class AuthenticatedConstraint : IRouteConstraint
{
  public bool Match(HttpContextBase httpContext, Route route, string parameterName, RouteValueDictionary values, RouteDirection routeDirection)
  {
    return httpContext.Request.IsAuthenticated;
  }
}

Good details on Stephen Walther's blog: ASP.NET MVC Tip #30 – Create Custom Route Constraints

Answer 2

For admin stuff, just mark with [Authorize] attribute. To ensure only admins can use it, do something like [Authorize(Roles = "Admin")]. Check out this question

Also, /product/create is most common, I think :)

Answer 3

I3Dx definitely has the right guidance for the Authorize attribute, this is essential for keeping controller secure, you can apply to a controller or individual actions.

As far as the URL depth, I would not worry about the depth, I would be more concerned that the route made logical sense for example:

domain.com/admin/products/edit/1

domain.com/admin/groups/edit/1

domain.com/products/view/1

domain.com/groups/view/1

This way you know what is happening with each route. it is obvious that one is an admin and one is an end user.

The easyest way to check is to get someone to read your URL and ask them what they would expect to see.

Hope this helps.

OH and one last thing, for client side routes we often use "slugs" rather than ids so that it is more readable. So when someone creates a product we slugify the name so it can be used in the route such as:

domain.com/products/view/big-red-bucket

rather than

domain.com/products/view/1