如何根据用户角色限制asp.net控制动作? [英] How can I limit asp.net control actions based on user role?

问题描述

我的应用程序中有几个页面或视图，这些页面或视图对于经过身份验证的用户和匿名用户都是相同的.我想将formviews和gridviews中的insert/update/delete操作限制为仅通过身份验证的用户，并允许对经过身份验证的用户和匿名用户进行读取访问.

I have several pages or views in my application which are essentially the same for both authenticated users and anonymous users. I'd like to limit the insert/update/delete actions in formviews and gridviews to authenticated users only, and allow read access for both authed and anon users.

我正在使用asp.net配置系统来处理身份验证和角色.该系统根据路径限制访问权限，因此我一直在为身份验证和匿名路径创建重复页面.

I'm using the asp.net configuration system for handling authentication and roles. This system limits access based on path so I've been creating duplicate pages for authed and anon paths.

立即想到的解决方案是检查相应事件处理程序中的角色，限制显示哪些可能的操作(插入/更新/删除按钮)，还限制执行什么操作(对于可能知道如何执行操作的用户)但是，此解决方案并不能消除重复-我将在一系列页面上复制安全代码，而不是复制页面并基于路径限制访问；后者将大大简化.

The solution that comes to mind immediately is to check roles in the appropriate event handlers, limiting what possible actions are displayed (insert/update/delete buttons) and also limiting what actions are performed (for users that may know how to perform an action in the absence of a button.) However, this solution doesn't eliminate duplication - I'd be duplicating security code on a series of pages rather than duplicating pages and limiting access based on path; the latter would be significantly less complicated.

我总是可以构建一些控件来提供基于角色的配置，但是我认为我现在没有时间进行这种承诺.

I could always build some controls that offered role-based configuration, but I don't think I have time for that kind of commitment right now.

是否有相对简单的方法(存在这样的控件?)还是应该坚持基于路径的访问和重复页面?

Is there a relatively easy way to do this (do such controls exist?) or should I just stick to path-based access and duplicate pages?

使用两种授权方法甚至有意义吗?仍然有一些页面严格地针对这两种角色，因此无论如何我都将使用基于路径的授权.

Does it even make sense to use two methods of authorization? There are still some pages which are strictly for either role so I'll be making use of path-based authorization anyway.

最后，至少在使用asp.net配置系统的情况下，使用基于路径的授权之外的其他方法是否会与典型的asp.net设计实践相反?

Finally, would using something other than path-based authorization be contrary to typical asp.net design practices, at least in the context of using the asp.net configuration system?

推荐答案

最好的方法是在自定义控件上添加一个属性，即角色"或允许此类角色的用户查看该控件的内容.既然没有时间，您可以创建一个帮助程序方法来处理控件的visible属性.像这样:

The best approach will be to add a property on a custom control saying Roles or something that will allow the users of such roles to view the control. Since, you do not have time for that you can make a helper method which will deal with the visible property of the control. Something like this:

<asp:Button id="UpdateButton" runat="server" Visible="<%# IsInRole("Admin") %>" /> 

您还可以创建自己的帮助程序方法来检查更多条件.

You can also make your own helper method that checks for more criteria.

这篇关于如何根据用户角色限制asp.net控制动作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！