MVC中的授权属性顺序、优先级和功能问题
角色中有一些我不太明白的地方。使用 [Authorize] 属性
当控制器和操作上都有 [Authorize] 属性时:
- 当角色同时存在于两者中时,该角色将具有访问权限
- 当角色仅在控制器中定义,但不在操作中定义时,无访问权限
- 当角色仅在操作中定义,但不在控制器中定义时,无访问权限
我明白了,这是合乎逻辑的。您需要先访问控制器,然后才能运行操作。
我不明白的是为什么这不起作用:
[Authorize(Roles = "Algemeen Beheer, Admin, Coordinator, Secretariaat")]
public class FacturatieGegevensController : Controller {
[Authorize(Users = "Stefan.coordinator", Roles = "Algemeen Beheer, Admin")]
public ActionResult Create(int instID) {
return View();
}
}
当我以具有角色 coordinator 的用户 Stefan.coordinator 身份登录时,我可以访问控制器,但我无法访问创建操作。 我认为这将是 Users 和 Roles 之间的 OR 关系。不是吗?我该如何让它发挥作用?
There is something in the roles I don't exactly get. using the [Authorize] attribute
When you have the [Authorize] attribute on the controller and on the action:
- When a role is in both, this role will have access
- When a role is only defined at the Controller, but not at the Action, no access
- When a role is only defined at the Action, but not at the Controller, no access
I get that, that's logical. You need access to the controller before you can run an action.
What I dont get is why this doesnt work:
[Authorize(Roles = "Algemeen Beheer, Admin, Coordinator, Secretariaat")]
public class FacturatieGegevensController : Controller {
[Authorize(Users = "Stefan.coordinator", Roles = "Algemeen Beheer, Admin")]
public ActionResult Create(int instID) {
return View();
}
}
When I am logged in as user Stefan.coordinator which has the role coordinator, I can access the controller, but I can not access the Create Action.
I thought this would be an OR relation between Users and Roles. Is it not? and how do I get this to work?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
访问Create方法的条件是:
一旦计算出所有 AND / OR ,结果就很简单:
也就是说,在特定的 AuthorizeAttribute 中,用户和角色是 AND 在一起的。在多个 AuthorizeAttributes 中,条件是通过 AND 组合在一起的。
最好的思考方式是 [Authorize] 属性彼此不知道,因此每个属性都独立执行。首先是控制器级的,然后是方法级的。要访问该方法,您需要通过所有门。
编辑 - 有一个关于上面的逻辑如何运作的问题。
设:
由于控制器级[Authorize]属性为(A || B || C || D),因此方法级[Authorize]属性为(E && (A || B)),并且多个[授权]属性由逻辑AND表示,逻辑结果为(A || B || C || D) && (E && (A || B)),简化为 E && (A || B),这要求用户名为“Stefan.coordinator”并且具有“Algemeen Beheer”或“Admin”角色。由于用户 Stefan.coordinator 不属于这两个角色中的任何一个,因此检查失败。
针对您的特定问题..
如果您想将自己的逻辑应用于 [Authorize] 属性检查,请子类化 AuthorizeAttribute 并重写 AuthorizeCore 方法。这样你就可以说 if (User == "Stefan.coordinator" || base.AuthorizeCore(...)) { ... }。
The condition to access the Create method is:
Once all the ANDs / ORs have been worked out, this results in simply:
That is, within a particular AuthorizeAttribute, the Users and Roles are ANDed together. And across multiple AuthorizeAttributes, the conditions are ANDed together.
The best way to think of this is that the [Authorize] attributes are not aware of each other, so each executes independently. The controller-level one goes first, then the method-level one goes. To get access to the method, you need to pass all gates.
Edit - there was a question on how the logic works out as it does above.
Let:
Since the controller-level [Authorize] attribute is (A || B || C || D), the method-level [Authorize] attribute is (E && (A || B)), and multiple [Authorize] attributes are represented by a logical AND, the logic ends up as (A || B || C || D) && (E && (A || B)), which reduces to E && (A || B), which requires the user to be named "Stefan.coordinator" and to be in the "Algemeen Beheer" or "Admin" roles. Since the user Stefan.coordinator isn't in either of these two roles, the check fails.
To your particular problem..
If you want to apply your own logic to the [Authorize] attribute checks, subclass AuthorizeAttribute and override the AuthorizeCore method. That way you can say if (User == "Stefan.coordinator" || base.AuthorizeCore(...)) { ... }.