ASP.NET MVC授权和放大器;使用模型类的权限 [英] ASP.NET MVC authorization & permission to use model classes
问题描述
这是我在这里的第一篇文章,所以你好:)好了,让我们给点...
我写我的ASP.NET MVC框架的第一个应用,我有特权检查使用的模型类(读取,编辑)的实例的问题。示例code是这样的:
This is my first post here, so hello :) Okay, let's get to the point... I am writing my first app in ASP.NET MVC Framework and i have a problem with checking privileges to use instances of model classes (read, edit). Sample code looks like this:
// Controller action
[CustomAuthorize(Roles="Editor, Admin")]
public ActionResult Stats(int id)
{
User user = userRepository.GetUser(id);
if (user == null || !user.Activated || user.Removed)
return View("NotFound");
else if (!user.IsCurrentSessionUserOwned)
return View("NotAuthorized");
return View(user);
}
到目前为止授权属性只保护器的动作,所以我的问题是:如何让CustomAuthorize属性不但要检查用户角色,用户名,而且在动作方法(上述实例那样,即资源:用户级的,但也有其他的ORM LINQ2SQL类,如新闻,照片等),所有这些对象的检查有其独特的ID,让用户拥有实体自身的ID,新闻有自己的ID和用户名外地referecned到用户表。我应该如何解决这个问题?
So far authorize attribute protects only controller actions, so my question is: how to make CustomAuthorize attribute to check not only user role, usernames but also did i.e. resources instantiated in action methods (above: User class, but there are other ORM LINQ2SQL classes like News, Photos etc.) All of these object to check have their unique ID's, so user entity have own ID, News have their ID's and UserID field referecned to Users table. How should i resolve that problem?
推荐答案
如果我理解正确的,你想让谁写新闻的用户,文章编辑自己的新闻或文章,即使他不有管理员角色或编辑。
If i understand right, you want to let the user who write News,Articles to edit his own News or Articles even if he doesnt has the role of "Admin" or "Editor"..
那么这是一个棘手的,简单的解决办法是:
Well that is a tricky one, the simple solution would be:
让你CustomAuthorize,因为它是,但让它继续,而不是返回一个错误查看或东西只是注入的操作参数,即到行动:
Let your CustomAuthorize as it is, BUT let it continue to the Action, instead of returning a error View or something just inject an action parameter ie:
CustomAuthorize:
//..Your Role Validation Logic Here...
if (filterContext.ActionParameters.Keys.Contains("isAuthorize"))
{
filterContext.ActionParameters.Remove("isAuthorize");
}
filterContext.ActionParameters.Add("isAuthorize", isAuthorized);
在哪里isAuthorized将持有的角色验证逻辑的结果。
Where isAuthorized will hold the result of the role validation logic.
因此,在你的控制器,你必须添加2个参数:
So in your controller, you must add a 2nd parameter:
[CustomAuthorize(Roles="Editor, Admin")]
public ActionResult Stats(int id, bool isAuthorized)
{
User user = userRepository.GetUser(id);
if (user == null || !user.Activated || user.Removed)
return View("NotFound");
else if (user.Id != CurrentUser.Id && !isAuthorized)
//not Authorized by roles
//not the owner get away from here =D
return View("NotAuthorized");
return View(user);
}
我假设你有机会获得来自于BaseController(abstrac类)的一个属性的currentUser。
I'm assuming you have access to a CurrentUser that comes from a property in BaseController (abstrac class).
实现的东西比这更详尽会导致复杂的局面。
Implementing something more elaborated than that will result in a complex situation.
例如,您可以,但不建议:
For instance you can, but not recommended:
一个。发送所有者的用户ID作为一个参数(所以每次的URL发送ID时GET或POST请求,你必须添加所有者的用户ID作为参数)。但是,这可能会导致真难看的安全漏洞,因为你取决于由可以由用户和woala被篡改线路发送用户ID!现在即时通讯的授权。
A. Send the userID of the owner as a parameter (so every time you send an ID on the url GET or POST request you must add the user ID of the owner as a parameter). But this can lead to really ugly security flaws, because you depend on the userID that is send by the wire that can be tamper by the user and woala! im authorized now.
乙。尝试例如在动作滤镜的对象(但你必须弄清楚首先你试图实例什么实体,这可能会导致很长的switch语句,并在CustomAuthorize一个第三个参数,所以你知道从数据库获取哪个实体)
B. Try to instance the object in the action filter (but you must figure out first what entity you are trying to instance, this can lead to a long switch statement and a 3rd parameter in the CustomAuthorize so you know which entity to get from the DB).
这篇关于ASP.NET MVC授权和放大器;使用模型类的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
