MVC安全在我的应用问题 - 分离逻辑的最佳策略是什么? [英] MVC Security problems in my application - Best strategy for separating logic?
问题描述
我觉得最大的白痴 - 我以为只有 ActionResults
被遣返回给客户端。出于这个原因,我的帮手的方法负载在我的控制器。
我只是想通过一个URL来访问他们,我发誓,我几乎疯了,当我看到他们可以达成! ......幸运的是,没有人还没有发现这一点。
其中的一个方法我有,我叫了一遍又一遍的是:
公共用户GetCurrentUser()
{
用户的用户= db.Users.SingleOrDefault(X => x.UserName == User.Identity.Name);
返回用户;
}
我刚刚创建了一个名为逻辑的文件夹里面我的模型文件夹,我试图分开code - 我只是想知道最好的策略是什么调用code,命名空间和更多的<? / p>
在上面的例子中,我使用 User.Identity.Name
只从控制器
继承。如果我添加此,我回到第一阶段!
由于达林季米特洛夫,我现在知道了 [无为]
属性 - 这,添加这些方法确实究竟我需要什么/解决安全问题,然而,这些方法在不同的控制器使用,我知道这将是最好的,如果我能在逻辑和控制器分离。我只是不知道该怎么去了解它最好的办法是。
任何人都可以点我在正确的方向开始之前,我拉我的头发了!?
您可以看看的的 [授权]
属性。
更新:
或者你可以使用 [无为]
属性或使该方法私有。但是,在这种情况下,最好的做法是简单地推动这一逻辑移出控制器。控制器应该只包含控制器动作。其他逻辑应放置在其各自的层中。
I feel like the biggest idiot - I thought only ActionResults
were sent back to the client. For this reason, I had a load of "helper" methods in my controller.
I just tried accessing them via a URL and I swear I almost went crazy when I saw they can be reached! ... Luckily, no one else has discovered this yet.
One such method I have, that I call over and over again is :
public User GetCurrentUser()
{
User user = db.Users.SingleOrDefault(x => x.UserName == User.Identity.Name);
return user;
}
I have just created a folder called "Logic" inside my Models folder and I am attempting to separate the code - I was just wondering what the best strategy is for calling code, namespaces and more?
In the above example, I am using User.Identity.Name
which only inherits from Controller
. If I add this, I am back to stage one!
Thanks to Darin Dimitrov, I now know about the [NonAction]
Attribute - which, adding to these methods does exactly what I need/fixes the security problem, however, many of these Methods are used in different controllers and I know it would be best if I can separate the logic from the controllers. I am just not sure what the best way to go about it is.
Can anyone point me in the right direction before I start pulling all my hair out!?
You may take a look at the [Authorize]
attribute.
UPDATE:
Or you could use the [NonAction]
attribute or make the method private. But the best practice in this case would be to simply move this logic out of your controller. A controller should contain only controller actions. Other logic should be placed in its respective layers.
这篇关于MVC安全在我的应用问题 - 分离逻辑的最佳策略是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!