ASP.NET MVC3 角色和权限管理 ->使用运行时权限分配 [英] ASP.NET MVC3 Role and Permission Management -> With Runtime Permission Assignment

问题描述

ASP.NET MVC 允许用户在设计时为功能(即操作)分配权限，就像这样.

ASP.NET MVC allows users the ability to assign permissions to functionality (i.e. Actions) at Design Time like so.

[Authorize(Roles = "Administrator,ContentEditor")]
public ActionResult Foo()
{
    return View();
}

要实际检查权限，可以在(Razor)视图中使用以下语句:

To actually check the permission, one might use the following statement in a (Razor) view:

@if (User.IsInRole("ContentEditor"))
{
    <div>This will be visible only to users in the ContentEditor role.</div>
}

这种方法的问题在于，必须在设计时设置所有权限并将其分配为属性.(属性是与 DLL 一起编译的，所以我目前不知道在 运行时 没有机制可以应用属性(以允许额外的权限)，例如 [Authorize(Roles = "Administrator,ContentEditor")].

The problem with this approach is that all permissions must be set up and assigned as attributes at design time. (Attributes are compiled in with the DLL so I am presently aware of no mechanism to apply attributes (to allow additional permissions) such as [Authorize(Roles = "Administrator,ContentEditor")] at runtime.

在我们的用例中，客户端需要能够在部署后更改用户拥有什么权限.

In our use case, the client needs to be able to change what users have what permissions after deployment.

例如，客户端可能希望允许 ContentEditor 角色的用户编辑某些特定类型的内容.也许不允许用户编辑查找表值，但现在客户端希望允许此操作而不授予用户all 下一个更高角色的权限.相反，客户端只是想修改用户的当前角色可用的权限.

For example, the client may wish to allow a user in the ContentEditor role to edit some content of a particular type. Perhaps a user was not allowed to edit lookup table values, but now the client wants to allow this without granting the user all the permissions in the next higher role. Instead, the client simply wants to modify the permissions available to the user's current role.

有哪些策略可用于允许在属性之外(如在数据库中)定义对 MVC 控制器/视图/操作的权限并在运行时进行评估和应用?强>

如果可能，我们非常希望尽可能坚持使用 ASP.NET Membership 和 Role Provider 功能，以便我们可以继续利用它提供的其他好处.

If possible, we would very much like to stick as closely as we can to the ASP.NET Membership and Role Provider functionality so that we can continue to leverage the other benefits it provides.

预先感谢您提供任何想法或见解.

Thank you in advance for any ideas or insights.

推荐答案

有哪些策略可用于允许对 MVC 的权限要在属性之外定义的控制器/视图/操作(如在数据库)并在运行时进行评估和应用?

What options are strategies are available to allow permissions on MVC Controllers/Views/Actions to be defined outside of attributes (as in a database) and evaluated and applied at runtime?

自定义授权属性是实现此目的的一种可能性:

A custom Authorize attribute is one possibility to achieve this:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        Roles = ... go ahead and fetch those roles dynamically from wherever they are stored
        return base.AuthorizeCore(httpContext);
    }
}

然后:

[MyAuthorize]
public ActionResult Foo()
{
    return View();
}

这篇关于ASP.NET MVC3 角色和权限管理 ->使用运行时权限分配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！