MVC3 授权:从另一个操作调用授权操作是否是一种错误的形式?
从另一个操作调用控制器操作时是否需要使用RedirectToAction?我目前只是直接打电话给他们,因为我不希望他们返回,因此我绕过授权标签到我的操作之一(这就是我想要的)。
您能否告诉我这是否是错误的形式,如果是,我应该创建多个新操作来设置客户端 cookie 还是直接在 LogOn() 操作中设置它们?
我可以将 SwitchClient 设为私有,然后将公共授权操作设为仅供客户端管理员使用吗?然后,将通过 LogOn 操作调用私有操作,但除非用户通过管理员身份验证,否则无法访问该私有操作。
这是我的代码:
[HttpGet]
[CustomAuthorizeAccess(Roles = "Administrator", RedirectResultUrl = "Unauthorized")]
public ActionResult SwitchClient(string client)
{
if (Request.Cookies["Client"] == null)
{
HttpCookie clientCookie = new HttpCookie("Client", client);
Response.Cookies.Add(clientCookie);
}
else
{
Response.Cookies["Client"].Value = client;
}
return new RedirectResult(Request.UrlReferrer.AbsolutePath);
}
[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (MembershipService.ValidateUser(model.UserName, model.Password))
{
FormsService.SignIn(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
//Add user's role to cookies (assumes each user only has one role)
string role = Roles.GetRolesForUser(model.UserName).First();
HttpCookie roleCookie = new HttpCookie("Role", role);
if (role == "client1")
{
SwitchClient("client1");
}
else if (role == "client2")
{
SwitchClient("client2");
}
else if (role == "Administrator" || role == "client3")
{
SwitchClient("client3");
}
//Make role cookie persistent for 7 days
//if user selected "Remember Me"
if (model.RememberMe)
{
roleCookie.Expires = DateTime.Today.AddDays(7);
}
if (Response.Cookies["Role"] != null)
{
Response.Cookies["Role"].Value = null;
Response.Cookies.Remove("Role");
}
Response.Cookies.Add(roleCookie);
return RedirectToAction("Index", "Home");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
Is it required to use RedirectToAction when calling a controller action from another action? I currently just call them directly because I do not want them to return, and thus I bypass the Authorize tag to one of my actions (which does what I want).
Can you please let me know if this is bad form, and if so, should I create multiple new actions to set the client cookies or just set them directly in the LogOn() Action?
Can I instead make SwitchClient private, and then make a public Authorized action to be used only by Administrators on the client-side? Then, the private action would be called via the LogOn action, but cannot be accessed unless the users are authenticated as Administrators.
Here is my code:
[HttpGet]
[CustomAuthorizeAccess(Roles = "Administrator", RedirectResultUrl = "Unauthorized")]
public ActionResult SwitchClient(string client)
{
if (Request.Cookies["Client"] == null)
{
HttpCookie clientCookie = new HttpCookie("Client", client);
Response.Cookies.Add(clientCookie);
}
else
{
Response.Cookies["Client"].Value = client;
}
return new RedirectResult(Request.UrlReferrer.AbsolutePath);
}
[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (MembershipService.ValidateUser(model.UserName, model.Password))
{
FormsService.SignIn(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
//Add user's role to cookies (assumes each user only has one role)
string role = Roles.GetRolesForUser(model.UserName).First();
HttpCookie roleCookie = new HttpCookie("Role", role);
if (role == "client1")
{
SwitchClient("client1");
}
else if (role == "client2")
{
SwitchClient("client2");
}
else if (role == "Administrator" || role == "client3")
{
SwitchClient("client3");
}
//Make role cookie persistent for 7 days
//if user selected "Remember Me"
if (model.RememberMe)
{
roleCookie.Expires = DateTime.Today.AddDays(7);
}
if (Response.Cookies["Role"] != null)
{
Response.Cookies["Role"].Value = null;
Response.Cookies.Remove("Role");
}
Response.Cookies.Add(roleCookie);
return RedirectToAction("Index", "Home");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我会将“切换客户端”逻辑重构为私有方法或实用程序类。两个控制器操作方法都会调用私有方法。
这样代码和您的意图就不会那么混乱。
I would refactor the "switch client" logic into a private method or a utility class. Both controller action methods would call the private method.
This way the code and your intent would be less confusing.