路由业务分支:ASP.NET MVC 中的精细访问控制
应如何构建 ASP.NET MVC 路由以允许对业务分支机构进行基于角色的精细访问控制?
每个业务实体本身或通过其父实体都与分支机构相关。是否有一种优雅的方法来根据用户角色为任意数量的分支授权操作?
1. 路线中有{分支}吗?
{branch}/{controller}/{action}/{id}
操作:
[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
// Authorize will test if User has Technician role in branch context
// ...
}
2. 从业务实体中检索分支?
{controller}/{action}/{id}
行动:
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
if (!User.HasAccessTo("WidgetAction", obj.Branch))
throw new HttpException(403, "No soup for you!"); // or redirect
// ...
}
3.或者有更好的方法吗?
How should ASP.NET MVC routes be structured to allow granular role-based access control to business branches?
Every business entity is related to a branch, either by itself or via its parent entities. Is there an elegant way to authorize actions based on user-roles for any number of branches?
1. {branch} in route?
{branch}/{controller}/{action}/{id}
Action:
[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
// Authorize will test if User has Technician role in branch context
// ...
}
2. Retrieve branch from business entity?
{controller}/{action}/{id}
Action:
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
if (!User.HasAccessTo("WidgetAction", obj.Branch))
throw new HttpException(403, "No soup for you!"); // or redirect
// ...
}
3. Or is there a better way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我最终在每个业务分支的单独应用程序和数据库上使用相同的代码库。这意味着我必须单独更新每个,但允许分叉功能。
我推出了自己的
[BranchAuthorize(Roles = "Editor, Stock Keeper")]属性,该属性根据控制器操作所需的角色检查经过身份验证的用户的角色,并在未分配任何角色的情况下显示一条详细说明所需角色的消息。统一的分支机构访问控制需要单独的授权服务,但允许集中权限管理。
I ended up using the same codebase on separate applications and databases for each business branch. This means I have to update each individually, but allows forking of features.
I rolled my own
[BranchAuthorize(Roles = "Editor, Stock Keeper")]attribute which checks the authenticated user's roles against the controller action's required roles and displays a message detailing the required roles if none are assigned.Unified branch access control would require a separate authorization service, but would allow for central rights administration.