ASP.NET MVC - 动态授权

发布于 2024-08-24 00:13:14 字数 161 浏览 10 评论 0原文

我正在构建一个简单的 CMS，其中的角色在管理面板中动态设置。因此，现有的授权控制器方法的方式（例如添加[Authorize(Roles="admin")]）已不再足够。角色-操作关系必须存储在数据库中，以便最终用户可以轻松地向管理面板中的其他人授予/获取权限。我怎样才能实现这个？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

花桑 2024-08-31 00:13:15

如果您想控制授权过程，您应该子类化 AuthorizeAttribute 并覆盖 AuthorizeCore 方法。然后只需使用 CmsAuthorizeAttribute 而不是默认值来装饰您的控制器。

public class CmsAuthorizeAttribute : AuthorizeAttribute
{
    public override virtual bool AuthorizeCore(HttpContextBase httpContext)
    {
        IPrincipal user = httpContext.User;
        IIdentity identity = user.Identity;

        if (!identity.IsAuthenticated) {
            return false;
        }

        bool isAuthorized = true;
        // TODO: perform custom authorization against the CMS


        return isAuthorized;
    }
}

这样做的缺点是您将无法访问 ctor 注入的 IoC，因此您必须直接从容器请求任何依赖项。

If you want to take control of the authorization process, you should subclass AuthorizeAttribute and override the AuthorizeCore method. Then simply decorate your controllers with your CmsAuthorizeAttribute instead of the default.

public class CmsAuthorizeAttribute : AuthorizeAttribute
{
    public override virtual bool AuthorizeCore(HttpContextBase httpContext)
    {
        IPrincipal user = httpContext.User;
        IIdentity identity = user.Identity;

        if (!identity.IsAuthenticated) {
            return false;
        }

        bool isAuthorized = true;
        // TODO: perform custom authorization against the CMS


        return isAuthorized;
    }
}

The downside to this is that you won't have access to ctor-injected IoC, so you'll have to request any dependencies from the container directly.

回复收藏 0 原文

鱼窥荷 2024-08-31 00:13:15

这正是 ASP.NET 会员资格/个人资料内容为您所做的事情。它与授权属性一起使用。

如果您想推出自己的操作过滤器，您可以创建一个自定义操作过滤器来模仿标准授权操作过滤器的行为。下面的伪代码。

public MyAuthorizeAttribute : ActionFilterAttribute
{
    public string MyRole { get; set; }

    public void OnActionExecuting(ControllerContext context)
    {
        if (!(bool)Session["userIsAuthenticated"])
        {
            throw new AuthenticationException("Must log in.");
        }

        if (!Session["userRoles"].Contains(MyRole))
        {
            throw new AuthenticationException("Must have role " + MyRole);
        }
    }
}

That is exactly what the ASP.NET membership / profile stuff does for you. And it works with the Authorize attribute.

If you want to roll your own you could create a custom action filter that mimics the behavior of the standard Authorize action filter does. Pseudo code below.

public MyAuthorizeAttribute : ActionFilterAttribute
{
    public string MyRole { get; set; }

    public void OnActionExecuting(ControllerContext context)
    {
        if (!(bool)Session["userIsAuthenticated"])
        {
            throw new AuthenticationException("Must log in.");
        }

        if (!Session["userRoles"].Contains(MyRole))
        {
            throw new AuthenticationException("Must have role " + MyRole);
        }
    }
}

回复收藏 0 原文