在ASP.NET MVC文件为基础的安全性 [英] Document-Based Security in ASP.NET MVC
问题描述
我已经了解用户和基于角色的安全性ASP.NET MVC。但现在我需要的东西多一点的颗粒。
I already know about User and Role-based security in ASP.NET MVC. But now I need something a little more granular.
让我们说我有一个文件列表,其中一些用户被授权的,有些不是。每个文档都有在一个数据库中的文件表中相应的记录。文件可以下载观看,如果用户具有安全访问。文件也可加入,如果你有作用。每个文件都有一个URL,每个文件列表中有一个网址。
Let's say I have a list of documents, some of which the user is authorized for, some not. Each document has a corresponding record in a documents table in a database. Documents can be downloaded for viewing, if the user has security access. Documents can also be added, if you have the role. Each document has an URL, and each document list has an URL.
我想安全修剪的列表,以便用户只看到了他被授权的文档。但我也需要验证这些列表和文件的URL请求,因为没有什么preventing从书签用户的文件,他们不再有机会获得,或者简单地键入网址到浏览器。
I would like to security trim the list so that the user only sees those documents for which he is authorized. But I also need to authenticate the URL requests for these lists and documents, since there is nothing preventing a user from bookmarking a document they no longer have access to, or simply typing the URL into the browser.
是内置的基于角色的安全模型适用于这一点,或者我需要建立独立的,基于表的安全性?我可以把安全在我的资料库,使返回的记录已经修整,还是应控制器的一部分吗?我需要一个安全属性来验证控制器的请求,或者我应该只是把它在控制器方法code的第几行?
Is the built-in role-based security model suitable for this, or do I need to create separate, table-based security? Can I put the security in my repository, so that the returned records are already trimmed, or should it be part of the controller? Do I need a security attribute to validate the controller request, or should I just put it in the controller method as the first few lines of code?
推荐答案
@Robert,我想你已经回答了你自己的问题时,你说你应该修剪它们(前)到达的看法。因此,在您的业务逻辑,为preference在库中,你可能想要做一个LAMDA修剪掉多余的可以这么说。
@Robert, I think you've already answered your own question when you said you should trim them (before) they reach the view. So in your Business logic, as a preference over the repository, you might want to do a lamda to trim off the excess so to speak.
林我认为我永远不会返回任何记录,认为用户是看不准。为什么要增加风险和流量?
Im my opinion I would never return any records to the view that the user wasn't allowed to see. Why increase risk and traffic?
至于书签我想你会需要做一些业务逻辑$ P $从去到URL访问时不再存在pventing他们。
As for the bookmarks I think there you're going to need to do some business logic preventing them from going to the url when access no longer exists.
我以为控制器来这里只是为了服务的数据页面,并没有什么逻辑,这样,所以我倒是preFER为这一个,因为它确实出现了业务规则业务层的方法。
I thought the controller was simply there to service the data to the page and not to have any logic as such so I'd prefer the business layer approach for this one as it does appear to be a business rule.
这可能不是你心目中什么,但除非有一个更好的方法这是一个我会用。
That might not be what you had in mind but unless there is a better approach it's the one I would use.
这篇关于在ASP.NET MVC文件为基础的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
