除了指定的例外,如何拒绝角色/用户对所有控制器/操作的访问asp.net MVC [英] How to deny a role / user access to all Controllers / Actions apart from specified exceptions asp.net MVC
问题描述
我希望能够指定一个角色(不允许访问的用户)和其他所有用户都可以访问的网站.
I would like to be able to specify either a role a user that isn't allowed to access and entire site when all other users are.
然后,我希望能够对选定的操作执行授权标头的操作,以便在可能的情况下仍允许拒绝的用户访问此选定的操作和控制器.
I would then like to be able to do something along the lines of an authorize header on selected actions so that the denied user is still allowed access this selected action and controller if possible.
我知道我可以创建一个角色,将所有其他用户添加到该角色中,然后对该角色执行授权属性,但是这必须对每个非启动者的动作都必须完成,因为该项目已经构建有数百甚至数千个动作.
I know I could create a role, add all other users to this role and then do an authorization attribute on this role but this would have to be done on every single action which is a non-starter because the project is already built with hundreds if not thousands of actions.
因此,任何建议将不胜感激
So any suggestions will be appreciated
推荐答案
这里最简单的解决方案可能是自定义Authorize属性,以添加拒绝"功能.您可以通过多种方式实现此目的.例如,您可以基于特定角色进行拒绝,但是如果您想拒绝应用程序不同部分的人员,那么随着时间的流逝很难维护,那么您每次必须创建不同的角色并更改代码为此.
The easiest solution here would probably be a custom Authorize attribute to add Deny functionality. You could implement this in a number of ways. For instance, you could deny based on a specific role, but that can be difficult to maintain over time if you want to deny people from different parts of the app, you'd have to create different roles and change your code every time you want to do that.
例如:
public class DenyAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return !base.AuthorizeCore(httpContext);
}
}
这将AuthorizeAttribute的Roles属性用作拒绝.
This uses the Roles property of the AuthorizeAttribute as a deny.
[Deny(Roles="DeniedUsers")]
但是请注意,您将需要某种更高级别的授权,例如在Controller或全局筛选器级别,以阻止所有未经身份验证的用户,否则,它将允许未指定Role的任何人(包括未经身份验证的用户)都有权访问.因此,也许添加如下内容:
Be aware though, that you would need some kind of higher level authorization, such as at the Controller or global filter level that blocks overall unauthenticated users, otherwise it would allow anyone not in the Role specified to have access, including unauthenticated users. So maybe add something like:
return httpContext.User.IsAuthenticated && !base.AuthorizeCore(httpContext);
另外请注意,将其与 [AllowAnonymous] 结合使用可能会出现问题.
Also be aware that using this in conjunction with an [AllowAnonymous] might be problematic.
另一个选择是创建一个更灵活的系统,该系统将基于当前的控制器/操作来计算拒绝.像这样:
Another option would be to create a more flexible system that would calculate the deny based on the current controller/action. Something like this:
public class DenyByControllerActionAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var controller = httpContext.Request.RequestContext.RouteData.GetRequiredString("controller");
var action = httpContext.Request.RequestContext.RouteData.GetRequiredString("action");
var denyRole = string.Format("Deny{0}:{1}", controller, action);
return !httpContext.User.IsInRole(denyRole) && base.AuthorizeCore(httpContext);
}
}
然后,您可以通过将用户添加为"Deny {Controller}:{Action}"格式的角色来控制访问,例如DenyHome:Index或"DenyAdmin:Email".
Which you can then control access by adding the user to a role of the format "Deny{Controller}:{Action}", so something like DenyHome:Index or "DenyAdmin:Email".
这也将要求他们也具有默认的授权访问权限,方法是调用基本的AuthorizeCore功能.因此,您可以用`[DenyByControllerAction]批量替换 [Authorize] ,它的工作方式相同(或将其用作全局过滤器),但只需添加您可以拒绝任何角色的角色用户访问任何控制器/操作.
This will also require they have Default authorize access as well by calling the base AuthorizeCore functionality. So, you can do a wholesale replace of [Authorize] with `[DenyByControllerAction] and it will work the same way (or use it as a global filter), but simply adding the role you can deny any user access to any Controller/Action.
这篇关于除了指定的例外,如何拒绝角色/用户对所有控制器/操作的访问asp.net MVC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
