How would you architect visitor and admin functions in a single ASP.Net MVC web application?

Question

So I have been working on a small web application (site) for a group of friends of mine and have come to the realization that things need to change. The application has two faces to it

1. a public facing side that serves dynamic data to visitors and non admins, and
2. an admin side where admins can update or create the dynamic data to be served.

This application started off as a single webforms project sectioned off by separate pages and and web.config security of folders. Then it grew into separate projects (MVC admin side and webforms front end). I later had to bring it to where it is today, a single web app with a mix of MVC (admin) and webforms (public), due to deployment issues.

Now I am looking at migrating it to a single MVC project. I would like to keep my administration functions desperate from my public facing side by URL like /Admin and am not sure how to do it. I have read a lot of topics on grouping controllers into modules but am not sure that is the right thing yet.

• Should I just create admin functions inline with the rest of the public app and determine if the user is logged in or not?
• Or should I create Admin controllers that are separate from the public controllers (EventAdminController vs CalendarController)?
• What have others done?

Suggestions welcome, thanks stackoverflow.

---

Yes I am using the ASP.Net MVC framework from Microsoft. Darryl, are you saying to place my views in an Admin folder and protect that it using a web.config (to check security and roles) or to place my controllers in an Admin folder?

My assumptions was that you were saying to place the controllers in an Admin folder, say under controllers. This would still mean that HomeController in /Controllers is different than HomeAdminController in /Controllers/Admin. In this case you could configure specific routes for each but I don't see how simply putting a controller in a different folder would protect them (unless using the Authorize attribute on actions).

As for placing the views in a different folder, I can see how that could work in theory. But wouldn't the controller (in theory without any authorize attributes) still execute up to the point that the view is returned? I would then either expect a redirect or an error. Either way I wouldn't want to execute my controller action if you can't get to the view, and would rather not do any internal action pre-checking.

Answer 1

We have a similar problem where we are creating a very large ASP.NET MVC application and to separate functionality into areas we are using a process very similar to this post by Phil Haack. By creating areas you can have unique controller names for each area instead for the whole application, you can separate your modules far more easily and you can share authentication and basic common functionality.