如何创建一个“后门"?对于管理员,是否能够以其他用户身份登录并查看信息? [英] How to create a "backdoor" for administrator, to be able to log in as anohter user and see information?
问题描述
我正在创建一个在线调查工具.
I am creating an online survey tool.
作为管理员,我想看看用户已经回答了什么,也能够代表他们回答.使用内置的成员资格提供程序登录时,系统会根据用户的用户名获取用户答案和其他信息.
As an administrator, i would like to see what the users have answered and also be able to answer on their behalf. The system get's a users answers and other information based on his/her username, when they are logged in, using the built in membership provider.
当前有三个角色:管理员,主持人和受访者
There are currently three roles: Administrator, Moderator and Respondent
如果我想向管理员显示用户列表,
If i would like to show my administrator a list of users,
如何为管理员创建一个后门",以便他可以以用户身份登录",查看用户答案等?(就像用户登录到自己的帐户后一样).
how would it be possible to create a "backdoor" for the administrator, so that he can "log" in as the user, see the users answers etc ? (Just like the user would be able to if he was logged in to his own account).
回答和检索问题时,系统绑定到`User.Identity.Name
When answering and retrieving quyestions, the system is bound to `User.Identity.Name
关于如何解决此问题的建议:
My suggestion on how to solve this:
当前,当我想检索用户答案时,我使用以下代码:
Currently, when i want to retrive a users answers i use the following code:
Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
var answers = db.Tabelform_Answers.Where(x => x.question_id == model.Question_ID && x.respondent == Firma_ID);
这是因为我有一个名为Firma的表,该表具有一个引用用户名(称为CVR_Nummer)的列.然后,我在Tabelform_Answers表中检索与question_id和Firma_ID匹配的所有记录(用户对特定问题的回答).
This is because i have a table named Firma, that has a column referencing to a users Name, called CVR_Nummer. I then retrieve all the records in the Tabelform_Answers table, that match question_id and Firma_ID (A users answers for a specific question).
代替使用`Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
Instead of using `Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
要检索给定用户的Firma_ID,我可以在登录时将其存储在Session中.当我想以管理员身份查看特定用户的Answers时,我只需在Session中更改Firma_ID.在会话中更改Firma_ID只能通过具有以下代码的控制器进行:
to retrive the Firma_ID of a given user, i could store it in the Session upon Login. When i want to view a specific users Answers as Administrator, i would then just change Firma_ID in the Session. Changing Firma_ID in the Session would only be allowed through a controller which has the following code:
[Authorize(Roles = "Administrator")]
此外,我将会话超时设置为与身份验证超时相同.
Also, i would set the Session timeout to be the same as the Authentication timeout.
有人可以告诉我此解决方案的优缺点吗?还有其他方法可以为会话存储全局"变量吗?(Firma_ID)?
Can somebody tell me which pros and cons of this solution? Are there any other ways of storing a "global" variable for a Session? (Firma_ID)?
谢谢
推荐答案
如果您只需要以用户身份登录,那么我会寻求一种售票方法.我有一个特殊的登录页面,可以显示票证编号.当管理员想以其他用户身份登录时,将在admin-gui中创建该票证.登录页面检查数据库中的票证,登录所需的用户,然后删除/标记该票证为已使用.为了增加安全性,票证在创建后仅有效10秒钟.
If you only need to log in as your users, I went for a ticket-method. I have a special login-page that can take a ticket-id. This ticket is created in the admin-gui when the admin wants to log in as another user. The login-page checks the ticket in the database, logs in the wanted user, and then deletes/marks the ticket as used. As an added security, a ticket is only valid for 10 seconds after creation.
另一种选择是通过admin-gui向用户提供答案...
Another option is to make answers from users available from the admin-gui...
这篇关于如何创建一个“后门"?对于管理员,是否能够以其他用户身份登录并查看信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!