如何在[Authorize(Roles =“"“)]中使用变量 [英] How can I use a variable in [Authorize(Roles="")]
问题描述
我有一个MVC 5 C#Intranet Web应用程序,其中使用了30多个Active Directory角色,并且由于企业文化的原因,权限通常会发生变化.
I have an MVC 5 C# intranet web application where we have over 30 Active Directory roles in use, and permissions are often a changing thing due to the business culture.
为了让自己更轻松,我想我会尝试类似的方法来确定允许谁访问控制器操作或子操作.
To make things easy for myself, I thought I would try something like this to determine who is allowed access to a controller action or child action.
/* This function runs a LINQ query and outputs a comma delimited string of
approved active directory roles.
*/
private static string _approvedRoles =
Helpers.QueryableExtensions.GetApprovedRoles("FourCourseAudit");
// GET: FourCourseAudits
[Authorize(Roles = _approvedRoles)]
public ActionResult Index(string searchBy="All",
string orderBy="Campus", string orderDir="Asc")
{
// and so on...
不幸的是,我收到此编译时错误:An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type
.
Unfortunately, I get this compile time error: An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type
.
这是我尝试使用_approvedRoles
变量的其他方法(例如public const string
和public string
)之后的位置.我将GetApprovedRoles
函数放置在模型中,存储库中(现在在其中)以及控制器主体中.
This is where I am after trying other approaches with the _approvedRoles
variable, such as public const string
and public string
. I placed the GetApprovedRoles
function in the model, in the repository (where it is now), and in the body of the controller.
我知道角色很好,因为如果我使用此功能:[Authorize(Roles="DOMAIN\Role1,DOMAIN\Role2")]
它可以工作.对于我来说,这不是一个可行的选择,因为角色会发生变化,并且这是一个非常大的MVC网站.有什么方法可以让Roles成为变量?
I know the roles are good because if I use this: [Authorize(Roles="DOMAIN\Role1,DOMAIN\Role2")]
it works. And that's not a feasible option for me because the roles change and this is a very large MVC site. Is there some way I can let Roles be a variable?
推荐答案
在编译时需要知道参数,但是查询在运行时发生.
The arguments need to be known at compile time, but your query happens at run time.
最简单的方法是创建一个自定义AuthorizeAttribute .在Authorize()
方法中,您可以进行所需的任何检查,包括查询数据库.如果您希望在重用属性时具有更大的灵活性,还可以将自定义参数传递到构造函数中.例如:
The easiest way to do this is to create a custom AuthorizeAttribute. Inside the Authorize()
method, you can do any checks you want, including querying a database. You can also pass custom parameters into the constructor, if you want more flexibility in reusing the attribute. As an example:
public class RoleAuthorizeAttribute : AuthorizeAttribute
{
// or inject it
private DbContext _db = new DbContext();
private string _filter;
public RoleAuthorizeAttribute(string filter)
{
_filter = filter;
}
/// <summary>
/// Check authorization
/// </summary>
/// <param name="filterContext"></param>
public override void OnAuthorization(AuthorizationContext filterContext)
{
var currentUser = HttpContext.Current.User;
// do some checks, query a database, whatever
string approvedRoles = Helpers.QueryableExtensions.GetApprovedRoles(_filter);
if (!currentUser.IsInRole(...))
{
filterContext.Result = new RedirectToRouteResult("Error", new RouteValueDictionary());
}
}
}
要使用:
[RoleAuthorize("FourCourseAudit")]
这篇关于如何在[Authorize(Roles =“"“)]中使用变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!