如何扩展/建筑师的ASP.NET MVC 3授权属性来处理这种情况 [英] How to Extend/Architect the ASP.NET MVC 3 Authorize Attribute to Handle This Scenario

问题描述

我一直试图想通过这个答案并不能找到如何正确地做一个很好的解决方案。

I've been trying to think this answer through and can't find a good solution on how to properly do this.

我已经读了这些文章：

<一href=\"http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/\">http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/

<一href=\"http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx\">http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx

ASP.NET MVC自定义授权

<一href=\"http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx\">http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx

自定义授权属性的其他参数？

I've read over these articles:
http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/
http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx
ASP.NET MVC custom authorization
http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx
Custom Authorize Attribute additional Param?

想也许最后一个是关闭。

Thinking maybe the last one is close.

情景：

• 用户创建角色
  


• 用户可以指定哪些角色可以访问的事情。
  


• 用户将用户添加到这些角色
  


• 用户也是一个部的一部分。
  
  
  

因此​​，在控制我怎么可能说，一个用户可以访问一个动作，因为我不知道什么是用户的管理员创建的角色？

So in the controller how could I say that a user has access to an action, since I don't know what are the Roles the User's Admin created?

因此​​，在逻辑...让我们说我有一个创建，详细信息任务控制器。任务有服装一处。

So in logic... let's say I have a Task controller with a "Create", "Details". The Task has a Department of "Clothing".

• 任务：
  
  - 的TaskID
  
  - TaskTitle
  
  - TaskDepartmentID
  
  
  


• - 用户：
  
  - 用户名
  
  - 角色
  
  - 部门
  
  
  
  我会以某种方式创建行动创建任务的能力
  关联
  我会用查看任务详情的能力
  
详细信息的行动在某种程度上关联

• Task:
  -- TaskID
  -- TaskTitle
  -- TaskDepartmentID
  
  
• -- User:
  -- UserName
  -- Roles
  -- Departments
  
  I would somehow associate the "Create" action with "Create Task" ability
  I would somehow associate the "Details" action with "View Task Details" ability
  

管理员将添​​加一个名为任务用户的新角色，并说
这个角色可以创建任务
管理员还可以让这个角色为查看任务详情

管理员将打开部门级安全




创建：

当任务创建被称为控制器上我需要确保用户是在一个角色，允许创建任务。所以，在默认情况下，我不能在允许进入的授权属性，因为我不知道他们的角色送。我莫名其妙地需要在所有的用户角色发送和查看某个角色先后获得创建任务



与安全部查看：

当另一个用户去查看这个任务，他们可能有机会获得查看任务详情（我可以计算出，但是我解决了第一个问题）。然而，由于任务是其他另一部门则一个，他们都在，我需要拒绝访问。用户只能查看任务详情如果任务是部用户是一个组成部分。



这是我想不通。如何正确扩展AuthorizeAttribute这样我就可以通过GerRolesForUser在角色列表发送因为它只接受一个字符串，以及如何通过检查部门ID，以确定哪些行动是对，然后限制在另一个层次上的安全性。

The admin would add a new role called "Task Users" and say this role can "Create Tasks"
The admin would also allow this role to "View Task Details"
The admin would turn on "Department Level Security"


Creating:
When the Task Create is called on the controller I would need to make sure the user is in a Role that allows "Create Task". So by default I can't send in the "Roles" allowed into the Authorize Attribute because I don't know them. I somehow need to send in all the Roles the user has and see if a role has access to "Create Tasks"

Viewing with Department Security:
When another user goes to view this task, they may have access to "View Task Details" (which I can figure out however I solve the first issue). However, since the Task is for another department other then the one they are in, I need to deny access. The user can only "View Task Details" if the Task is part of one of the Department the User is in.

This is what I can't figure out. How to properly extend the AuthorizeAttribute so I can send in a list of Roles via GerRolesForUser since it only accepts a string, and how to identify what Action it's for and then limit security on another level by checking for the Department ID.

部门ID不一定要这么缓存也许我能做到这一点在控制器级别。

Department ID doesn't necessarily have to be cached so maybe I can do that at the controller level.

推荐答案

我有几分类似的问题，我没有使用授权的属性。

I had somewhat similar problem and I did not use Authorize attribute.

相反，我决定采取不同-2布局不同的用户。

Instead I decided to to take the different -2 Layout for the Different user .

如果用户是管理员那么他会去不同的意见，如果用户是客人，他会去通过不同的布局不同的看法。

if the User is Admin then he will go to the different view and if the user is guest he will go to the different view through different layout.

这篇关于如何扩展/建筑师的ASP.NET MVC 3授权属性来处理这种情况的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！