如何创建具有不同权限的意见的网页 [英] How to create pages with different permissions' views
问题描述
我需要为不同类型的用户不同的页面浏览量。
我已经问过这里:<一href=\"http://stackoverflow.com/questions/5067141/how-to-create-pages-with-different-permissions-views\">How创建具有不同权限的意见的网页
I need to create different page views for different types of users. I already asked that here: How to create pages with different permissions' views
而且即使Aldeel的答复工作,它似乎并没有最好的解决方案适合我。我会解释为什么。
And even though Aldeel's answer works, it does not seem the best solution for me. I'll explain why.
我会尽力解释什么,我需要非常详细hopefuly一些,你将能够帮助我:D
I'll try to explain what I need very detailed and hopefuly some of you will be able to help me out :D
我需要表现出不同的看法,但它不是只喜欢。每个用户可以访问该网页的不同部分。
I need to show different views but it's not only like that. Each user can have access to different parts of the page.
我来举一个例子:
想象一下,一个页面的X这种结构
Imagine a page 'X' with this structure
Field A
Field B
Field C
Field D
当用户 U1 从组 G1 访问页 X 系统检查DB该组的页面 X 的权限。用户 U1 可以看到字段A 和字段B ,但只有编辑字段A 。
When user U1 from group G1 visit page X the system checks the DB for that group's permission on page X. User U1 can see Field A and Field B, but only edit Field A.
用户 U2 被设置为无群访页 X 。系统会检查他的网页上的权限 X 。用户 U2 可以查看和编辑所有字段。
User U2 that is set to no group visits page X. The system checks for his permissions on page X. User U2 can see and edit all fields.
当用户 U3 从组 G2 访问页 X 系统检查DB该组的页面 X 的权限。用户 U3 可以看到的字段c 和野D ,但不能编辑任何
When user U3 from group G2 visit page X the system checks the DB for that group's permission on page X. User U3 can see Field C and Field D, but can not edit any.
我希望这是很容易理解...
I hope it's easy to understand...
我coudn't找到一个方法来做到这一点,而不是有很多关于特定用户的许可数据填充的ViewData。在我的例子,只有4场,但在我目前的项目我有少于20场没有屏幕。所以我想你可以看到那是多么丑陋,而不是生产。
I coudn't find a way to do that instead of filling ViewData with lots of data about that specific user's permission. In my example there are only 4 fields, but in my current project I have no screen with less than 20 fields. So I guess you can see how ugly and not productive that is.
我们的想法是类似的社交网络,就像我说的(<一个href=\"http://stackoverflow.com/questions/5067141/how-to-create-pages-with-different-permissions-views\">facebook例如)。当用户访问UserX的页面只能看到UserX允许他。
The idea is similar to a social network, as I said (facebook example). When a user visiting UserX's page can only see what UserX has allowed him to.
我真的AP preciate任何帮助。
I really appreciate any help.
最好的问候。
推荐答案
要你在找什么做的,你不应该控制你的观点 - 你确实有,以确保您的控制器 - 而不是意见。你可以通过控制器的属性做到这一点。类似这样的内容:
To do what you are looking to do, you shouldn't control your views - you actually have to secure your controllers - not the views. You can do this via controller attributes. Something similar to this:
[Authorize]
public class MyController {
}
通过这样做,你保护整个控制器。该控制器内的每一个动作将不响应,如果用户没有被认证(具体而言,它们将收到401响应)。可以通过如下面的实施例授权个人用户或个人角色扩展此
By doing this, you secure the entire controller. Every action within that controller will not respond if the user is not authenticated (specifically, they will receive a 401 response). You can extend this by authorizing individual users or individual roles as shown in the examples below:
[Authorize(Users="eestein,JasCav")
public class MyController {
}
[Authorize(Roles="Administrator")]
public class MyController {
}
在你的情况,你可能不希望有它的授权整个控制器。嗯,够出色,ASP.NET MVC提供认证的动作级控制。所以,你可以这样做:
In your case, you may not want to have an entire controller with authorization on it. Well, excellently enough, ASP.NET MVC provides action-level control of authentication. So, you can do this:
public class MyController {
public ActionResult Index() { }
[Authorize(Roles="Administrator")]
public ActionResult Admin() { }
}
使用这个想法,这是你可以控制用户看到页面上的内容。你会想从你的行动返回部分的网页,让您可以加载页面的各个方面。例如,你可能有一个观点,即显示了一些正常的数据和一些机密数据。正常数据可通过正常的页面返回。保密数据应该返回作为页内的局部视图。但是,如果出现一个401,你可以处理它,只是没有显示任何东西。
Using this idea, this is where you can control what a user sees on a page. You are going to want to return partial pages from your actions so that you can load various aspects of the page. For example, you may have a view that shows some normal data and some secret data. The normal data can be returned via the normal page. The secret data should be returned as a partial view within the page. However, if a 401 occurs, you can handle it and just not show anything.
这是相当简单的事情。在.NET团队做此设置了一个伟大的工作,你不必到控制器内单独检查权限。我希望这有助于让你开始。做一个网上搜索有关如何使用授权属性的详细信息。
It is fairly straightforward to do. The .NET team did a great job of setting this up and you don't have to individually check permissions within your controller. I hope this helps get you started. Do a search online for more information about how to use the Authorization attribute.
更新
当你是谁控制这些权限的网页的管理员的情况下,你必须聪明地授权如何设置属性。这是角色是非常重要的(按我上面的例子)。例如,如果管理员说,我要李四添加到SpecialUser角色,那么李四用户将能够访问所有在其中的角色被设定为SpecialUser的操作(如果这是真的系统上的角色)。
Update In the case where you have an administrator of a page who is controlling those permissions, you have to be smart about how you setup your Authorize attribute. This is where "Roles" are very important (per my examples above). For example, if the administrator says, "I'm going to add John Doe to an SpecialUser role," then John Doe user is going to be able to access all the actions in which the role is set to SpecialUser (if that is indeed a role on your system).
显然,你将不得不放弃管理员能够做到这一点某种程度上,以及授权属性做到这一点很好。看看谁拥有网页上的权限,则必须查询数据库,找出谁是起什么作用的一部分。这里是思考的设置方式:
Obviously, you're going to have to give administrators some way of being able to do this, and the Authorize attribute does this perfectly. To see who has permissions on a page, you will have to query the database to find out who is part of what role. Here is a way to think about the setup:
- 您控制措施的作用。
- 您的管理员控制谁被授予的角色。
- 您可以随时检查(通过一个简单的查询),看看谁被分配到什么样的作用。然后,您可以(通过你的动作角色的知识),看看谁看到该网站的哪一部分。
我希望这澄清(我希望我理解你的问题不够好)。我认为你正在试图做的是可能的。
I hope this clarifies (and I hope I understood your problem well enough). I think what you are trying to do is possible.
更新2
是的,这确实假定你有你的控制器的静态组和任何新的组都必须以编程方式添加。我很好奇,想知道什么样的用例需要不同的权限类型来动态创建 - 这似乎是它会被滥用。在任何情况下,我没有一个解决方案。
Update 2 Yes, this does assume you have static groups on your controllers and any new group would have to be programmatically added. I'd be curious to know what kind of use case requires different permissions types to created on the fly - that seems like it would be open to abuse. In any case, I don't have a solution for this.
至于如何局部视图的工作......这是这样的事情...
As for how partial views work...it's something like this...
public class ProductController : Controller
{
//
// GET: /Index/
public ActionResult Index()
{
return View();
}
public ActionResult Partial1()
{
return PartialView();
}
[Authorize]
public ActionResult Partial2()
{
return PartialView();
}
}
在您的Index.aspx文件,就会有这样的事情:
Inside your Index.aspx file, you'll have something like this:
<%= Html.RenderAction("Partial1") %>
<%= Html.RenderAction("Partial2") %>
如果用户没有被授权可以处理的第二个的RenderAction 这样的观点,甚至永远不会显示。 (您可以检查您的控制器内。)
If the user is not authorized you can handle the second RenderAction so the view never even shows. (You can check that within your controller.)
。希望澄清的事情!我在跑,所以我不能更扩大现在
Hope that clarifies things! I'm on the run, so I can't expand on it more now.
这篇关于如何创建具有不同权限的意见的网页的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
