多重角色和用户的MVC 3动态授权 [英] MVC 3 dynamic authorization of multiple roles and users
问题描述
我最近starded为MVC 3开发但因为在前面C#和ASP.NET的经验。所以我就用什么,我试图完成启动。我已经开发了托管物品的小网站。我已经实现了基于SQLServer的成员managament到现场。现在我想创建一个证书制度,限制,允许适当的用户创建,删除和更新的文章。有一个简单的解决方案,这一点,那就是做这样的:
I recently starded developing for MVC 3 but have experience in both C# and ASP.NET since earlier. So i'll start with what i'm trying to accomplish. I've developed a small site for hosting articles. I've implemented SQLServer based membership managament to the site. Now i want to create a credentials system that restricts and allows the right users to create, delete and update articles. There is one simple solution to this and that is to do it like this:
[Authorize(Roles="Admin")]
public ActionResult UpdateArticle(ArticleModel model, int articleid)
{
return View();
}
现在,这是非常简单的。我简单地说,只有那些中的角色管理员的成员被允许更新的文章。但是,这只是静态的。所以我创造了我的数据库中的证书表,到底告诉我说:第5条可以通过角色1,2,3和放大器进行编辑; 4和用户A,B和C。到现在为止还挺好。但我将如何实现,与授权解决方案?
Now this is really simple. I simply say that only members that are in the role "Admin" are allowed to update an article. But that's just to static. So i created a credentials table in my database that in the end tells me that "Article 5 can be edited by roles 1,2,3 & 4 and by users A, b & C". So far so good. But how would i implement that with the Authorize solution?
我愿做这样的事情:
[Authorize(getAuthorizedusers("update",this.articleid))]
在这里,用户和角色授权更新与传递给它的条款ArticleID文章getAuthorizedusers回报。
where getAuthorizedusers returns which users and roles are authorized to update the article with the articleid that was passed to it.
所以,我有(至少)两个位置问题:
-Getting的授权方法来接受多个用户和角色。
-Passing附带的条款ArticleID,被送往UpdateArticle方法,该方法getAuthorizedusers
So I have (at least) two problems here: -Getting the Authorize method to accept multiple users and roles. -Passing the supplied articleid, that was sent to the UpdateArticle method, to the getAuthorizedusers method.
推荐答案
您可以创建从 AuthorizeAttribute 继承自己的自定义属性,并覆盖 OnAuthorize 方法去做你所需要的。
You can create your own custom attribute that inherits from AuthorizeAttribute and override the OnAuthorize method to do what you need.
这应该让你开始:
public class ArticleAuthorizeAttribute : AuthorizeAttribute
{
public enum ArticleAction
{
Read,
Create,
Update,
Delete
}
public ArticleAction Action { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
//do custom authorizization using Action and getting ArticleID
//from filterContext.HttpContext.Request.QueryString or
//filterContext.HttpContext.Request.Form
}
}
用法是这样的:
[ArticleAuthorize(Action=ArticleAuthorizeAttribute.ArticleAction.Update)]
编辑:寻找到这多一点之后,它看起来就像你不能到属性传递this.articleID。但是,你必须通过查询字符串属性或<$ C从 filterContext.HttpContext.Request 访问参数$ C>表单属性,这取决于你是如何传递的价值观。我已经适当更新了code样本。
After looking into this a bit more, it looks like you can't pass this.articleID in to the attribute. However, you do have access to the parameters from filterContext.HttpContext.Request through the QueryString property or the Form property, depending on how you are passing the values. I have updated the code sample appropriately.
一个更完整的例子可以发现这里
A more complete example can be found here
要使用用户角色和用户列表,你会做这样的事情检查授权:
To check for authorization using user role and user list you would do something like this:
var allowedUsers = new List<string>();
//populate allowedUsers from DB
If (User.IsInRole("Update") || allowedUsers.Contains(User.Identity.Name))
{
//authorized
}
另外,你可以做对DB两个检查直接在一个单一的方法,从制作两个电话不断。
Alternatively, you can do both checks against the DB directly in a single method to keep from making two calls.
这篇关于多重角色和用户的MVC 3动态授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
