Asp.net 4 MVC3 松散耦合角色和操作
对于一个项目,我正在制作一个 mvc3 asp.net 应用程序。我想要实现的功能之一是松散耦合的角色 - 操作归因。基本上,管理员用户应该能够创建角色并将其与操作链接起来。
角色本身存储在数据库中。
我想知道以下方法是否有效:
//Definition of a the Attribute
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MyFlexibleAttribute : AuthorizeAttribute
{
private Repository RolesRepository = new Repository();
public String ActionName {get; set;}
public MyFlexibleAttribute()
{
Roles = RolesRepository.getStringRolesSeparatedByComma(ActionName)
}
}
// where in a random controller of a view, I could state
[MyFlexibleAttribute(ActionName = "SpecialAction"]
public ActionResult SpecialAction()
{
return View();
}
您的意见是什么?
谢谢
*更新** 您好,我最近在使用数据库上下文时发现了上述设计的一些可能的缺陷。由于自定义属性的生命周期大于或等于控制器的生命周期,因此在实例化属性时调用新存储库可能会由于存储库的内部状态而导致可能的差异和安全泄漏(如果使用例如 dbContext )。
EG 数据库已更新,新角色有新操作,但存储库未刷新...
那么在这种情况下它是什么样子的:
public ActionTypeName ActionTypeName {get; set;}
private Repository repo;
public CustomAuthorizeAction(ActionTypeName actionTypeName)
{
this.ActionTypeName = actionTypeName;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
//instantiate new instance when calling the OnAuthorization method
this.repo = new Repository();
List<Role> tmp = repo.getRolesLinkedToAction(this.ActionTypeName).ToList();
Roles = String.Join(",", tmp.Select(r => r.Name));
base.OnAuthorization(filterContext);
}
希望这会有所帮助
for a project, I am making a mvc3 asp.net application. One of the features I would like to implement, is a loose coupled Role - Action attribution. Basically admin user should be a able to create roles and link them with actions.
The roles themselves being stored in a database.
I am wondering whether something in the line of the following approach would work:
//Definition of a the Attribute
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MyFlexibleAttribute : AuthorizeAttribute
{
private Repository RolesRepository = new Repository();
public String ActionName {get; set;}
public MyFlexibleAttribute()
{
Roles = RolesRepository.getStringRolesSeparatedByComma(ActionName)
}
}
// where in a random controller of a view, I could state
[MyFlexibleAttribute(ActionName = "SpecialAction"]
public ActionResult SpecialAction()
{
return View();
}
What is your opinion?
Thanks
*UPDATE**
Hi, I've recently discovered some possible lacunas with the above design when using db context. As the lifespan of the the custom attribute is greater or equal then the lifespan of the controller, calling a new repository when instantiating the attribute, could lead to possible discrepenacies and security leaks due to the internal state of repository (if this uses for instance dbContext).
E.G. database is updated, new action for new role, but the repository is not refreshed...
So what it look like, in this context:
public ActionTypeName ActionTypeName {get; set;}
private Repository repo;
public CustomAuthorizeAction(ActionTypeName actionTypeName)
{
this.ActionTypeName = actionTypeName;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
//instantiate new instance when calling the OnAuthorization method
this.repo = new Repository();
List<Role> tmp = repo.getRolesLinkedToAction(this.ActionTypeName).ToList();
Roles = String.Join(",", tmp.Select(r => r.Name));
base.OnAuthorization(filterContext);
}
hope this helps
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,它会起作用,并且在您不想使用具有标准属性的字符串对动态角色进行硬编码的情况下,它是实现动态角色的正确方法。
Yes, it will work and is the correct way to implement dynamic roles in the case where you don't want to hardcode them using strings with the standard attribute.