传递函数功能作为一个属性的参数，以确保MVC路线 [英] Passing Func as an attribute parameter to secure MVC routes

问题描述

我想从一组满足了一套标准的用户保护我的MVC路线。由于MVC似乎使用属性颇有几分和史蒂芬·桑德森使用一个在他的职业MVC的书，我开始走向这条路的安全性可扩展性，但​​我想上下文定义基于操作的规则，我把它应用到

I'm trying to secure my MVC routes from a set of users that meet a set of criteria. Since MVC seems to use attributes quite a bit and Steven Sanderson uses one for security extensibility in his pro MVC book I started heading down this route, but I'd like to define the rule contextually based on the action I am applying it to.

有些动作是为员工而已，有些则不是。

Some actions are for employees only, some aren't.

有些动作是公司1只，有些则不是。

Some actions are for company1 only, some aren't.

所以我想这种类型的使用...

So I was thinking this type of usage...

[DisableAccess(BlockUsersWhere = u => u.Company != "Acme")]
public ActionResult AcmeOnlyAction()
{
...
}

[DisableAccess(BlockUsersWhere = u => u.IsEmployee == false)]
public ActionResult EmployeeOnlyAction()
{
...
}

看起来pretty干净，我和真的pretty容易实现，但我得到以下编译器错误：

Looks pretty clean to me and is really pretty easy to implement, but I get the following compiler error:

BlockUsersWhere'不是一个有效的命名属性的参数，因为它不是一个有效的属性参数类型

'BlockUsersWhere' is not a valid named attribute argument because it is not a valid attribute parameter type

显然，你不能使用Func键作为属性参数。任何其他建议来解决这个问题，还是其他什么东西，它提供了简单的用法，我们来到在我们的MVC项目去爱？

推荐答案

丧尸的建议，将工作，但您将不得不援引他的 SecurityGuard 帮手的每一个身体操作方法。

Necros' suggestion would work, however you would have to invoke his SecurityGuard helper in the body of every action method.

如果您仍想与声明基于属性的方法去（其中有您可以将属性应用到整个控制器的优势），你可以写你自己的 AuthorizeAttribute

If you would still like to go with the declarative attribute-based approach (which has the advantage that you can apply the attribute to the whole Controller) you could write your own AuthorizeAttribute

public class CustomAuthorizeAttribute : AuthorizeAttribute {
    public bool EmployeeOnly { get; set; }
    private string _company;

    public string Company {
        get { return _company; }
        set { _company = value; }
    }


    protected override bool AuthorizeCore(HttpContextBase httpContext) {
        return base.AuthorizeCore(httpContext) && MyAuthorizationCheck(httpContext);
    }

    private bool MyAuthorizationCheck(HttpContextBase httpContext) {
        IPrincipal user = httpContext.User;

        if (EmployeeOnly && !VerifyUserIsEmployee(user)) {
            return false;
        }

        if (!String.IsNullOrEmpty(Company) && !VerifyUserIsInCompany(user)) {
            return false;
        }

        return true;
    }

    private bool VerifyUserIsInCompany(IPrincipal user) {
        // your check here
    }

    private bool VerifyUserIsEmployee(IPrincipal user) {
        // your check here
    }
}

然后，你会按如下方式使用它

Then you would use it as follows

[CustomAuthorize(Company = "Acme")]   
public ActionResult AcmeOnlyAction()   
{   
...   
}   

[CustomAuthorize(EmployeeOnly = true)]   
public ActionResult EmployeeOnlyAction()   
{   
...   
}  

这篇关于传递函数功能作为一个属性的参数，以确保MVC路线的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！