自定义属性 +使用查询字符串验证权限?
我网站的某个部分检查登录用户是否可以访问记录的 ID(报告 ID),如果可以,他们可以查看该页面上的内容。可以有各种不同类型的用户/公司查看内容。
编写检查用户是否可以访问 id 的自定义属性的最佳实践是什么?我应该传入查询字符串吗?请注意,id 将来自路由/url。
例如,报告 ID = 678。 urls:
- /Report/678/Detail
- /Report/678/Progress/Staging
- /Report/678/TaskManager/78/
- /Report/678/Participants
使用下面的代码
[ReportAuthorizationAttribute ())] //get query string yourself
[ReportAuthorizationAttribute (Request.Querystring["reportid"))] //this does not look possible to do???
//将添加到基本控制器的代码< /strong> 该区域
public class ReportAuthorizationAttribute : AuthorizeAttribute
{
/// <summary>
/// inject via Ninject - there must be a better way? Using service locator?
/// </summary>
[Inject]
public readonly IReportRepo _repo { get; set; }
[Inject]
public readonly IUserSession _user { get; set; }
private int _reportid;
public ReportAuthorizationAttribute()
: base()
{ //*Is this way the best way?*
_reportid= Int32.Parse(HttpContext.Current.Request.QueryString["reportid"]);
}
public ReportAuthorizationAttribute(params int reportid)
: base()
{
_reportid = reportid;
}
public ReportAuthorizationAttribute(params string reportid)
: base()
{
_reportid= Int32.Parse(reportid);
}
public bool AlwaysAllowLocalRequests = false;
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new NoAccessException("httpContext is null");
if (!httpContext.User.Identity.IsAuthenticated)
throw new NoAccessException("unauthorized user");
var companyid = _user.GetCurrentUser().CompanyID;
if (AlwaysAllowLocalRequests && _repo.IsCompanyParticipantInReport(_reportid, companyid))
return true;
return false;
}
}
I have a certain part of my site that checks if the logged on user can access the id of a record (Report id), if so they can view the content on that page. There can be various different types of users/companies that will view the content.
What is the best practise for writing a custom attribute that will check if user can access the id? Should I pass in a query string? Note that the id will come from the route/url.
E.g. Report id = 678.
urls:
- /Report/678/Detail
- /Report/678/Progress/Staged
- /Report/678/TaskManager/78/
- /Report/678/Participants
usage of code below
[ReportAuthorizationAttribute ())] //get query string yourself
[ReportAuthorizationAttribute (Request.Querystring["reportid"))] //this does not look possible to do???
//Code that will be added to the base controller for this area
public class ReportAuthorizationAttribute : AuthorizeAttribute
{
/// <summary>
/// inject via Ninject - there must be a better way? Using service locator?
/// </summary>
[Inject]
public readonly IReportRepo _repo { get; set; }
[Inject]
public readonly IUserSession _user { get; set; }
private int _reportid;
public ReportAuthorizationAttribute()
: base()
{ //*Is this way the best way?*
_reportid= Int32.Parse(HttpContext.Current.Request.QueryString["reportid"]);
}
public ReportAuthorizationAttribute(params int reportid)
: base()
{
_reportid = reportid;
}
public ReportAuthorizationAttribute(params string reportid)
: base()
{
_reportid= Int32.Parse(reportid);
}
public bool AlwaysAllowLocalRequests = false;
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new NoAccessException("httpContext is null");
if (!httpContext.User.Identity.IsAuthenticated)
throw new NoAccessException("unauthorized user");
var companyid = _user.GetCurrentUser().CompanyID;
if (AlwaysAllowLocalRequests && _repo.IsCompanyParticipantInReport(_reportid, companyid))
return true;
return false;
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您使用路由,
reportid不会成为查询字符串的一部分。您需要从路由中获取它:也不要在操作过滤器构造函数中使用 HttpContext.Current。仅在
AuthorizeCore方法内使用它:If you use routing,
reportidwon't be part of the query string. You need to fetch it from the route:Also don't use HttpContext.Current in your action filter constructor. Use it only inside the
AuthorizeCoremethod: