使用角色的 asp.net mvc 授权 [英] asp.net mvc authorization using roles

问题描述

我正在创建一个具有用户概念的 asp.net mvc 应用程序.每个用户都可以编辑自己的个人资料.例如:

I'm creating an asp.net mvc application that has the concept of users. Each user is able to edit their own profile. For instance:

• PersonID=1 可以通过转到 http://localhost/person/edit/1
• PersonID=2 可以通过转到 http://localhost/person/edit/2

没有什么特别令人兴奋的......

Nothing particularly exciting there...

但是，我在授权方案方面遇到了一些麻烦.目前系统中只有两个角色，Administrator"和DefaultUser"，但未来可能会有更多.

However, I have run into a bit of trouble with the Authorization scheme. There are only two roles in the system right now, "Administrator" and "DefaultUser", but there will likely be more in the future.

我不能使用常规的 Authorize 属性来指定授权，因为两个用户的角色相同(即DefaultUser").

I can't use the regular Authorize attribute to specify Authorization because both users are in the same role (i.e., "DefaultUser").

所以，如果我像这样指定授权过滤器:

So, if I specify the Authorize Filter like so:

[Authorize(Roles = "DefaultUser")]

那么就没有效果了.PersonID=1 可以进入并编辑他们自己的个人资料(他们应该可以这样做)，但他们也可以将 URL 更改为 http://localhost/person/edit/2 并且他们也拥有编辑 PersonID=2 的个人资料的完全访问权限(他们不应该这样做).

then there is no effect. PersonID=1 can go in and edit their own profile (as they should be able to), but they can also just change the URL to http://localhost/person/edit/2 and they have full access to edit PersonID=2's profile as well (which they should not be able to do).

这是否意味着我必须创建自己的授权过滤器，在允许他们访问之前检查用户请求的操作是否属于"他们?也就是说，如果当前登录的人正在请求参数= 1的编辑操作，我是否需要进行自定义检查以确保当前登录的人是PersonID = 1，如果是，则授权他们，如果没有，拒绝访问?

Does this mean that I have to create my own Authorization filter that checks if the action the user is requesting "belongs" to them before allowing them access? That is, if the edit action, with parameter = 1 is being requested by the currently logged in person, do I need to do a custom check to make sure that the currently logged in person is PersonID=1, and if so, authorize them, and if not, deny access?

感觉我在这里遗漏了一些明显的东西，所以任何指导将不胜感激.

Feels like I'm missing something obvious here, so any guidance would be appreciated.

推荐答案

也许你可以组织控制器动作，使 URL 更像 http://localhost/person/editme 并显示当前登录用户的编辑表单.这样，用户就无法破解 URL 来编辑其他人.

Maybe you could organize the controller action such that the URL is more like http://localhost/person/editme and it displays the edit form for the currently-logged-in user. That way there's no way a user could hack the URL to edit someone else.

这篇关于使用角色的 asp.net mvc 授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！