ASP .NET MVC保护控制器/行动 [英] ASP .NET MVC Securing a Controller/Action

问题描述

如果我想只有管理员才能访问名为ManagerUser的动作，我知道我能做到这一点：

If I want only administrator to access the action called "ManagerUser", I know I can do this:

[Authorize( Roles = Constants.ROLES_ADMINISTRATOR )]
public ActionResult ManageUser( string id )
{
}

如果我想给大家访问除了管理员什么？我不想写的所有角色，那里的功能：|

What if I want to give everyone access except to administrator? I do not want to write all roles up there on function :|.

任何建议/办法出局？

推荐答案

您可以创建自己的自定义属性的授权，类似AuthorizeAllExceptAdmin。在这一类，你就只需要检查当前用户是否是管理员，如果他们拒绝，否则接受。

You can create your own custom Authorize attribute, something like "AuthorizeAllExceptAdmin." Within that class you would simply need to check whether or not the current user was an admin, and if they were reject it, otherwise accept it.

下面是一个很好的<一个href=\"http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx\">tutorial,但你可能会喜欢的东西结束：

Here's a good tutorial, but you'll probably end up with something like:

public class AuthorizeAllExceptAdmin : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return !httpContext.User.IsInRole(Constants.ROLES_ADMINISTRATOR);
    }
}

那么你的控制器的方法就变成了：

Then your controller method becomes:

[AuthorizeAllExceptAdmin] 
public ActionResult SomethingOnlyNonAdminsCanDo() 
{ 
} 

下面是发生在角色否认自定义属性的一个例子。

Here's an example of the custom attribute that takes in roles to deny.

public class DoNotAuthorize : AuthorizeAttribute
{
    private IEnumerable<string> _rolesToReject;

    public DoNotAuthorize(IEnumerable<string> rolesToReject)
    {
        _rolesToReject = rolesToReject;        
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        foreach (var role in _rolesToReject)
        {
            if (httpContext.User.IsInRole(role))
                return false;
        }

        return true;
    }
}

那么你的控制器的方法就变成了：

Then your controller method becomes:

[DoNotAuthorize(new [] {Constants.ROLES_ADMINISTRATOR})] 
public ActionResult SomethingOnlyNonAdminsCanDo() 
{ 
} 

我会把一些想法进去选择上述选项之一了。如果你觉得你有几种方法（或整个控制器）具有类似授权要求（即，几个动作管理员无法执行），那么我会坚持使用非参数化自定义属性。这样，您可以进化它们放在一起（仅改变自定义属性）以后。例如，也许以后你想要的管理员才能够进入一个特殊的模式，在那里他们可以执行这些操作。

I would put some thought into it before choosing one of the above options. If you think you'll have several methods (or entire controllers) with similar authorization requirements (i.e, several actions an admin can not perform) then I would stick with the non-parameterized custom attribute. This way, you can evolve them all together (by only changing the custom attribute) later on. For example, maybe later on you want admins to be able to go into a special mode where they can perform these actions.

另外，如果autorization是行动之中更多样化的，然后使用参数列表是有道理的，因为他们会相对独立发展。

Alternatively, if the autorization is more varied amongst the actions, then using the parameterized list makes sense, since they'll evolve relatively independently.

这篇关于ASP .NET MVC保护控制器/行动的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！