ASP.NET 授权属性和管理员用户角色
使用Authorize属性我可以指定允许访问资源的角色。
[Authorize(Roles="User")]
但是,如果我有允许访问任何资源的管理员用户,我也需要指定这个资源,
[Authorize(Roles="User, Administrator")]
但可能有某种方式我可以说管理员允许去任何地方而不是在授权属性中指定这个资源?
所以我的意思是,如果代码中的某个位置(在控制器上或在操作上)是这个 [Authorize(Roles="User")] 这意味着管理员角色允许去那里以及。
或者我可以将其设置为所有动态授权角色,当应用程序启动时如何?
有什么想法吗?
更新:
目前我有一个具有授权属性 [Authorize(Role="Administrator")] 的管理控制器,并且我在另一个具有属性 [Authorize(Role="User") 的控制器中执行了一些操作)] 所以如果我没有找到更好的解决方案,我还需要添加 "Administrator" 。
Using Authorize attribute i may specify roles which is allowed to access the resources.
[Authorize(Roles="User")]
But if i have admin user which is allowed to go to any resource i need specify this one as well
[Authorize(Roles="User, Administrator")]
But may be there is some way i can say somehow that Administrator allowed to go anywhere and not to specify this one in Authorize attribute?
So i mean if somewhere in code(on controller or on action) would be this [Authorize(Roles="User")] it means that Administrator role allowed to go there as well.
Or may be i may set it to all Authorize roles dynamically how when application start?
Any ideas?
UPDATED:
Currently i have one admin controller with Authorize attribute [Authorize(Role="Administrator")] and i have some actions in some another controllers with attributes [Authorize(Role="User")] so i will need to add "Administrator" there as well if i didn't find better solution.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
我认为这对你有用。使用 AuthorizeAttribute 创建您自己的基控制器,然后使其他控制器继承您的基类。
在我看来,这很可怕。
您有多少个控制器/操作?如果您稍后忘记了这一点并且您可能不希望管理员访问某个页面怎么办?
调试代码会变得更加困难吗?
I think this will work for you. Create your own base controller, with the AuthorizeAttribute, then make your other Controllers inherit your base class.
This is scary though, in my opinion.
How many controllers/Actions do you have? What if you forget about this later and maybe you have a page you don't want Admins to access?
Will debugging the code become more difficult?
您可以创建自定义过滤器并使用它来装饰您的操作或控制器。
这是一个我经常使用的简单结构:
您可以阅读更多内容 此处
You can create a custom filter and use it to decorate your Actions or Controllers with it.
This is a simple structure I've used quite a lot:
You can read some more here
您需要静态角色和运行时角色的概念。这是一个简单的示例:
您的角色列表及其级别:
用户及其静态角色(静态角色是您分配给用户的角色):
在运行时,您可以使用静态角色和角色级别生成运行时角色,具有较高角色级别的用户会自动获取较低级别的角色。因此,经过计算,这些用户的运行时角色将是:
然后,您可以简单地使用[Authorize(Roles="Viewer")],具有更高权限级别的用户(例如John,Sam)也可以访问它。因为他们在运行时还必须具有查看者角色。
使用静态角色和运行时角色的要点是静态角色使角色分配更容易。运行时角色使资源授权变得更加容易。
You need the concept of Static Role and Runtime Role. Here is a simple example:
Your role list and their levels:
Users and their Static Role (Static Role is the role you assigned to users):
At run time you generate a Run Time Role by using Static Role and Role Levels, Users with higher level of roles automatically obtain the roles in lower levels. So, after calculation, the Run Time Roles for these Users will be:
And then, you can simply use [Authorize(Roles="Viewer")], Users with higher Level of permissions (e.g. John, Sam) can access to it too. Because they must also have the Viewer role at run time.
The point of using Static Role and Run Time Role is that Static Role makes the role assignment easier. And Run time role make the resources authorization easier.
这就是我所做的:确保具有“管理员”角色的用户也具有“用户”角色。
This is what I do: make sure users who are in the "Admin" role are also in the "User" role.