如何对角色和特定用户使用自定义Authorize属性? [英] How to use custom Authorize attribute for roles as well as a specific user?
问题描述
所以我有我的操作方法
[Authorize(Roles="Admin")]
public ActionResult EditPosts(int id)
{
return View();
}
就我而言,我需要授权管理员,以便他们可以编辑帖子,但是(此处来了很酷的部分),我还需要允许帖子的创建者能够编辑普通用户的帖子。那么,我该如何过滤掉创建帖子的用户以及管理员,却让其他人未经授权?我正在接收PostEntry id作为路由参数,但是在属性和属性之后,它们仅接受常量参数,看起来很困难,您的回答受到高度评价,干杯!
In my case i need to authorize administrators so they can edit posts but (here comes the cool part), i also need to allow the creator of the post to be able to edit the post wich is a normal user. So how can i filter out the user that created the post as well as the admins but leave the others unauthorized? I am recieveing the PostEntry id as a route parameter but thats after the atribute and also attributes only accept constant parameters, looks like something very difficult, your answers are highly appreciated, Cheers!
推荐答案
您可以编写自定义授权属性:
You could write a custom authorize attribute:
public class AuthorizeAdminOrOwnerOfPostAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authorized = base.AuthorizeCore(httpContext);
if (!authorized)
{
// The user is not authenticated
return false;
}
var user = httpContext.User;
if (user.IsInRole("Admin"))
{
// Administrator => let him in
return true;
}
var rd = httpContext.Request.RequestContext.RouteData;
var id = rd.Values["id"] as string;
if (string.IsNullOrEmpty(id))
{
// No id was specified => we do not allow access
return false;
}
return IsOwnerOfPost(user.Identity.Name, id);
}
private bool IsOwnerOfPost(string username, string postId)
{
// TODO: you know what to do here
throw new NotImplementedException();
}
}
,然后用它来装饰控制器动作:
and then decorate your controller action with it:
[AuthorizeAdminOrOwnerOfPost]
public ActionResult EditPosts(int id)
{
return View();
}
这篇关于如何对角色和特定用户使用自定义Authorize属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!