模型属性级别的 ASP.NET Core 3.1 Web Api 授权 [英] ASP.NET Core 3.1 Web Api authorization on model property level
问题描述
我有一个带有基本 jwt 身份验证和基于角色的授权的 Web api.现在我想限制角色 user 中的用户编辑某些字段,因为基于路由的授权是不够的.
I have a web api with basic jwt authentication and role based authorization. Now I want to restrict certain fields from being edited by users that are in the role user, because the route based authorization is not enough.
class Account {
public int Id {get; set;}
public string Email {get; set;}
public string Password {get; set;}
public bool Enabled {get; set;} // <- this field should only be editable by an admin or manager
public int RoleId {get; set;} // <- this field should only be editable by an admin
}
当用户处于角色 user 时,他只能更改他的电子邮件地址和密码,但仅限于他的帐户.当他在角色管理器中时,他应该能够编辑字段电子邮件、密码和启用,但仅限于用户角色中的帐户.管理员可以编辑每个用户的每个字段.
When the user is in the role user he is only allowed to change his email address and his password, but only for his account. When he is in the role manager he should be able to edit the fields email, password and enabled but only for accounts that are in the user role. An admin can edit every field from every user.
有什么可以解决我的问题,例如这样的:
Is there anything that would solve my problem, for example something like this:
class Account {
public int Id {get; set;}
public string Email {get; set;}
public string Password {get; set;}
[Authorize(Roles = "Admin,Manager")]
public bool Enabled {get; set;} // <- this field should only be editable by an admin or manager
[Authorize(Roles = "Admin")]
public int RoleId {get; set;} // <- this field should only be editable by an admin
}
有关我的项目的更多信息:- ASP.NET 核心 3.1- 我将 Entity Framework Core 与 Postgres 数据库一起使用- 对于身份验证,我使用基本的 jwt 承载身份验证
More infos about my project: - ASP.NET Core 3.1 - I use Entity Framework Core with a Postgres database - For authentication I use basic jwt bearer authentication
推荐答案
所以,我认为您对 Authtorize 工作的理解有误.
So, I think you has incorrect understanding of Authtorize working.
此属性用于控制器.您可以创建多个控制器,并为每个方法设置不同的 ROLES 以指定哪些角色可以调用此方法.
This attribute uses for Controllers. You can create multiple controllers and set for each method different ROLES to specify what Roles can call this method.
在 Dto(数据传输对象)类上指定它是不正确的.
It's not correct to specify it on Dto (Data Transfer Objects) classes.
但是您可以使用 2 个控制器和继承来制作一些有趣的解决方案.
But you can make some interesting solution with 2 controllers and inheritance.
//Account dto for edit
class AccountEditDto {
public int Id {get; set;}
public string Email {get; set;}
public string Password {get; set;}
}
//Controller to edit account
[Route("all/account_controller")]
public class AccountController : Controller
{
public ActionResult EditAccount(AccountEditDto accountDto)
{
//do something
}
}
然后为创建经理角色设置如下:
Then for create manager roles setup something like this :
//Account dto for edit
class AccountManagerEditDto : AccountEditDto {
public bool Enabled {get; set;}
}
//Controller admin to edit account
[Area("Manager")]
[Route("manager/account_controller")]
public class AccountManagerController : AccountController
{
[Authorize(Roles = "Manager")]
public ActionResult EditAccount(AccountManagerEditDto accountDto)
{
//Do something
}
}
然后为创建管理员角色设置如下:
Then for create admin roles setup something like this :
//Account dto for edit
class AccountAdminEditDto : AccountManagerEditDto {
public int RoleId {get; set;}
}
//Controller admin to edit account
[Area("Admin")]
[Route("admin/account_controller")]
public class AccountAdminController : AccountController
{
[Authorize(Roles = "Admin")]
public ActionResult EditAccount(AccountAdminEditDto accountDtp)
{
//Do something
}
}
然后你可以使用 URL 模式来调用控制器方法:
Then you can use than pattern of URL for call controller methods:
http://localhost/{role}/accont_controller/edit
这篇关于模型属性级别的 ASP.NET Core 3.1 Web Api 授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
