基于角色成员身份或数据关系(所有权)的 ASP.NET MVC 授权
我想扩展 ASP.NET MVC 中的 AuthorizeAttribute,以便它支持用户基于其角色成员身份或相关数据的“所有权”进行授权的概念。 我使用 LINQ2SQL 进行数据访问。 asp.net mvc 授权使用角色有一个类似的问题。
我的想法是将 EntityProperty、UserProperty、RouteParameter 和 JoinTableType 参数添加到我的扩展 AuthorizeAttribute 类中。 前两个是连接表中要检查的属性的名称。 RouteParameter 将是要提取的路由参数的名称,以匹配 EntityProperty 的值。 我将使用当前用户名从用户表中获取用户 ID。 JoinTableType 参数将是数据上下文中表的类型,其中包含路由参数值和用户 ID 必须匹配的 Entity 和 UserProperties。
基本思想是,用伪代码表示:
if authorizecore result is true
user is granted access based on role
else if user is not authenticated
redirect to logon
else if user is related to request
user is granted access based on relation
else
user is not authorized, redirect to not authorized error view
相关测试如下所示:
result = false
find the matching user from user name
find the entity property value in route data
if user exists and entity property value exists
get table from context matching join table type
if table exists
find row in table matching user id and entity property value
if row exists
result = true
endif
endif
endif
return result
我的问题是如何在构造 LINQ 查询时使用类型和属性名称? 或者我是否必须使用 object 和反射来完成所有这些工作。 我真的在寻找如何使这变得更容易的想法,因此其他建议也将受到赞赏。 我更愿意使用该属性,而不是将检查直接嵌入到操作中,以使其与我处理其他操作的方式保持一致。
I'd like to extend the AuthorizeAttribute in ASP.NET MVC so that it supports the concept of a user's authorization being based on their role membership OR "ownership" of the data in question. I'm using LINQ2SQL for data access. There is a similar question at asp.net mvc authorization using roles.
What I'm thinking is adding EntityProperty, UserProperty, RouteParameter, and JoinTableType parameters to my extended AuthorizeAttribute class. The first two would be the names of the properties in the join table to check. The RouteParameter would be the name of the route parameter to extract for the value of the EntityProperty to match. I'd obtain the user id from the user's table using the current user name. The JoinTableType parameter would be the type of the table in the datacontext that contains the Entity and UserProperties that the route parameter value and user id must match.
The basic idea is, in pseudocode:
if authorizecore result is true
user is granted access based on role
else if user is not authenticated
redirect to logon
else if user is related to request
user is granted access based on relation
else
user is not authorized, redirect to not authorized error view
The is related test would look like:
result = false
find the matching user from user name
find the entity property value in route data
if user exists and entity property value exists
get table from context matching join table type
if table exists
find row in table matching user id and entity property value
if row exists
result = true
endif
endif
endif
return result
My question is how do I use the type and property names in constructing the LINQ query? Or am I going to have to do all this with object and reflection. I'm really searching for ideas on how to make this easier so other suggestions would be appreciated as well. I'd prefer to use the attribute rather than embed the checking directly in the action to keep this consistent with how I handle my other actions.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我能够使用 VS2008 示例中的 Dynamic Linq 扩展以相当合理的方式完成此操作。 这是代表上面第二个伪代码示例的代码。 它通过了我最初的单元测试,但我需要使其更加健壮。
用法:
称为:
相关来源:
I was able to use the Dynamic Linq extensions from the VS2008 samples to do this in a pretty reasonable fashion. Here's the code representing the second pseudocode sample from above. It passes my initial unit test, but I'll need to make it more robust.
Usage:
Called as:
Relevant source: