使用角色asp.net mvc的授权 [英] asp.net mvc authorization using roles
问题描述
我创建一个具有用户的概念,一个asp.net MVC应用程序。每个用户可以编辑自己的个人资料。例如:
I'm creating an asp.net mvc application that has the concept of users. Each user is able to edit their own profile. For instance:
- 是PersonID = 1可以进入编辑个人资料的http://本地主机/人/编辑/ 1
- 是PersonID = 2可以进入编辑个人资料的http://本地主机/人/编辑/ 2
- PersonID=1 can edit their profile by going to http://localhost/person/edit/1
- PersonID=2 can edit their profile by going to http://localhost/person/edit/2
没有什么特别令人兴奋的有...
Nothing particularly exciting there...
不过,我遇到了一点与授权方案的麻烦。只有两个角色在系统中,现在,管理员和DefaultUser,但有可能会在未来更多。
However, I have run into a bit of trouble with the Authorization scheme. There are only two roles in the system right now, "Administrator" and "DefaultUser", but there will likely be more in the future.
我不能使用常规的授权属性指定的授权,因为这两个用户都在相同的角色(即DefaultUser)。
I can't use the regular Authorize attribute to specify Authorization because both users are in the same role (i.e., "DefaultUser").
所以,如果我指定的授权过滤器,象这样:
So, if I specify the Authorize Filter like so:
[Authorize(Roles = "DefaultUser")]
则没有影响。是PersonID = 1可以进入并编辑自己的个人资料(如它们应能),但他们也可以改变URL来 HTTP:/ /本地主机/人/编辑/ 2 ,他们有充分的机会来编辑是PersonID = 2的个人资料,以及(他们应该不能做)。
then there is no effect. PersonID=1 can go in and edit their own profile (as they should be able to), but they can also just change the URL to http://localhost/person/edit/2 and they have full access to edit PersonID=2's profile as well (which they should not be able to do).
这是否意味着我必须建立自己的授权过滤器来检查,如果用户请求的行动属于他们允许他们访问过吗?也就是说,如果编辑操作,使用参数=正在亲自当前登录请求1,做我需要做一个自定义的检查,以确保当前登录的人是PersonID = 1,如果是这样,授权他们,如果没有,拒绝访问?
Does this mean that I have to create my own Authorization filter that checks if the action the user is requesting "belongs" to them before allowing them access? That is, if the edit action, with parameter = 1 is being requested by the currently logged in person, do I need to do a custom check to make sure that the currently logged in person is PersonID=1, and if so, authorize them, and if not, deny access?
感觉就像我失去了一些东西在这里很明显,因此任何指导,将AP preciated。
Feels like I'm missing something obvious here, so any guidance would be appreciated.
推荐答案
也许你可以组织的控制器动作,这样的网址更像的http:/ /本地主机/人/ EDITME 并显示当前登录的用户编辑表单。这样,有没有办法用户可以破解网址编辑别人。
Maybe you could organize the controller action such that the URL is more like http://localhost/person/editme and it displays the edit form for the currently-logged-in user. That way there's no way a user could hack the URL to edit someone else.
这篇关于使用角色asp.net mvc的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
