Need a creative way to handle control permissions

[CrashDome]

I'm rewriting our software for .Net 2.0 and in the process cleaning up some bad practices.

Our previous framework was based on a user object and associated permissions collection stored in a database. The user object has been converted to a singleton instead of being referenced class-to-class-to-class... but my permissions still seem to be a bit code heavy.

For example, every form has a method called from the OnLoad event which determines the buttons, menus, textboxes, etc... which are visible to the user based on their permission collection.

Example:

if (user.HasPermission("EditStuff"))
    button1.Visible = true;

As you can believe, creating new permissions and adding them to already created users whenever there is a new feature request is very time consuming. I need to add the permission to the database, then assign it to the relevant people and/or roles, and finally include it within the class/form itself.

Is there a creative way I could say write a new method or add a new control and perhaps specify an attribute which will allow visibility or allow code execution based on user permission? or perhaps should I write a custom control class to handle the lookups?

I'm really smashing my brain around on this one. I'm not a security guru so there might be something to make this easier, but for the most part it has been pretty much a bunch of if...then statements which I never like to see.

I'd really like to make it part of a 'tier' as everbody is advocating. However, I cannot seem to acheive this on my own.

 

[CrashDome]

OK, I've got an idea!!

However, I still need help.

Idea:
Basically I think I am going to use an encrypted settings file to store my permissions. The default values will be the "Public" setting. i.e. An Edit Button's Visible property is set to false by default.

I will have a datatable in my database with values I want to load into the settings for "non-public" permissions.

Once the user logs in, I will load their custom values from the database and replace the default ones.

Here is a full example:

1) Let's say I have a button named "btnEdit" with it's visible property bound to a setting "EditVisible" which is false by default in a settings file called "Permissions" [MyApp.Properties.Permissions]

This allows me to write "permissions" on the fly as I create the form and I do not need to store these in the database.

2) An Administration panel within my app allows me to pull up every user or user role and all the settings from the settings file are listed in a listbox control. I can add a setting to a user or role and change the value and store this value in the database. i.e. John Doe | EditVisible | True

3) On login, the user is given all default "public" permissions as defined by the encrypted file. Once the login is complete, I grab all "non-public" settings for my user from the database and replace the default values i.e. [MyApp.Properties.Permission.EditVisible = true;]

Problems:
A) Whenever I use VS2005's property dialog to bind a value it stores it in my "Settings.settings" file and I cannot choose to use the "Permissions.settings" file instead.

B) I must be careful not to ever use Save() on the permissions settings else I will overwrite the "public" defaults with someones settings!!

Questions:
Is this a good direction to go? How do I alleviate my concerns with the above two problems?

 

[CrashDome]

Please ignore the above. I was going to edit the post and delete everything, but I figure I'd leave it as an example of stupidity.... i.e. if you are thinking of the above... [Don't do it!!]

First, while it is creative, I discovered that in certain cicumstances that binding to settings will auto-save (VB Forms etc..) and it is generally a bad idea.

Second, after playing around with an ObjectDataSource and it's binding, I think I've discovered another way where VS2005 will do what I want automatically... I will post my findings later.