I'm using roles in my ASP.NET Web API 2 project to limit access to certain resources.
Now I have the following scenario: A clubmanager can only do a GET for a club that he manages. A clubmanager should not be authorized to access clubs that he does not manage.
This is the method that gets a club:
[Authorize(Roles = "ClubManager")]
[Route("{clubId}")]
public Club GetClub(int clubId)
As you can see I only allow a user with the role "ClubManager" to access …