如何在[Authorize(Roles =“"“)]中使用变量 [英] How can I use a variable in [Authorize(Roles="")]

问题描述

我有一个MVC 5 C#Intranet Web应用程序，其中使用了30多个Active Directory角色，并且由于企业文化的原因，权限通常会发生变化.

I have an MVC 5 C# intranet web application where we have over 30 Active Directory roles in use, and permissions are often a changing thing due to the business culture.

为了让自己更轻松，我想我会尝试类似的方法来确定允许谁访问控制器操作或子操作.

To make things easy for myself, I thought I would try something like this to determine who is allowed access to a controller action or child action.

/* This function runs a LINQ query and outputs a comma delimited string of 
   approved active directory roles.
*/

    private static string _approvedRoles = 
            Helpers.QueryableExtensions.GetApprovedRoles("FourCourseAudit");

    // GET: FourCourseAudits    
    [Authorize(Roles = _approvedRoles)]
    public ActionResult Index(string searchBy="All", 
          string orderBy="Campus", string orderDir="Asc")
    {

    // and so on... 

不幸的是，我收到此编译时错误:An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type.

Unfortunately, I get this compile time error: An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type.

这是我尝试使用_approvedRoles变量的其他方法(例如public const string和public string)之后的位置.我将GetApprovedRoles函数放置在模型中，存储库中(现在在其中)以及控制器主体中.

This is where I am after trying other approaches with the _approvedRoles variable, such as public const string and public string. I placed the GetApprovedRoles function in the model, in the repository (where it is now), and in the body of the controller.

我知道角色很好，因为如果我使用此功能:[Authorize(Roles="DOMAIN\Role1,DOMAIN\Role2")]它可以工作.对于我来说，这不是一个可行的选择，因为角色会发生变化，并且这是一个非常大的MVC网站.有什么方法可以让Roles成为变量?

I know the roles are good because if I use this: [Authorize(Roles="DOMAIN\Role1,DOMAIN\Role2")] it works. And that's not a feasible option for me because the roles change and this is a very large MVC site. Is there some way I can let Roles be a variable?

推荐答案

在编译时需要知道参数，但是查询在运行时发生.

The arguments need to be known at compile time, but your query happens at run time.

最简单的方法是创建一个自定义AuthorizeAttribute .在Authorize()方法中，您可以进行所需的任何检查，包括查询数据库.如果您希望在重用属性时具有更大的灵活性，还可以将自定义参数传递到构造函数中.例如:

The easiest way to do this is to create a custom AuthorizeAttribute. Inside the Authorize() method, you can do any checks you want, including querying a database. You can also pass custom parameters into the constructor, if you want more flexibility in reusing the attribute. As an example:

public class RoleAuthorizeAttribute : AuthorizeAttribute
{
    // or inject it
    private DbContext _db = new DbContext();

    private string _filter;

    public RoleAuthorizeAttribute(string filter)
    {
        _filter = filter;
    }

    /// <summary>
    /// Check authorization
    /// </summary>
    /// <param name="filterContext"></param>
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        var currentUser = HttpContext.Current.User;

        // do some checks, query a database, whatever
        string approvedRoles =  Helpers.QueryableExtensions.GetApprovedRoles(_filter);

        if (!currentUser.IsInRole(...))
        {
            filterContext.Result = new RedirectToRouteResult("Error", new RouteValueDictionary());
        }
    }
}

要使用:

[RoleAuthorize("FourCourseAudit")]

这篇关于如何在[Authorize(Roles =“"“)]中使用变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！