MVC 3 - 针对特定用户只能访问 [英] MVC 3 - access for specific user only

问题描述

在我的web应用程序的注册用户可以添加新的内容，后来编辑。我想只有内容的作者能够对其进行编辑。难道还有比手动编写code在所有的行动方法，如果登录用户相同的笔者，检查这样做其他任何聪明的办法？我可以用于整个控制器的任何属性？

解决方案

  

这是我可以用整个控制器的任何属性？

是的，你可以用一个自定义的扩展授权属性

 公共类AuthorizeAuthorAttribute：AuthorizeAttribute
{
    保护覆盖布尔AuthorizeCore（HttpContextBase的HttpContext）
    {
        VAR isAuthorized = base.AuthorizeCore（HttpContext的）;
        如果（！isAuthorized）
        {
            //用户要么不认证，不
            //不是角色= GT;没有必要继续进一步
            返回false;
        }        //获取当前登录的用户
        VAR用户名= httpContext.User.Identity.Name;        //获取他试图操纵文章的id
        //从路由数据（假定该ID将作为传递路线
        //数据参数：/富/编辑/ 123）。如果不是这种情况下，你
        //使用查询字符串参数，你可以使用请求获取ID
        VAR ID = httpContext.Request.RequestContext.RouteData.Values​​ [ID]作为字符串;        //现在我们有了当前用户和文章的ID，他
        //试图manipualte所有剩下的就是继续前进，在看
        //看看我们的数据库，如果该用户是文章的主人
        返回IsUserOwnerOfArticle（用户名，ID）;
    }    私人布尔IsUserOwnerOfArticle（用户名字符串，字符串条款ArticleID）
    {
        抛出新NotImplementedException（）;
    }
}
 

和则：

  [HttpPost]
[AuthorizeAuthor]
公众的ActionResult编辑（INT ID）
{
    ...执行编辑
}
 

In my web application registered users can add new content and edit it later. I want only the content's author to be able to edit it. Is there any smart way of doing this other than manually writing code in all the action methods that checks if the logged user is the same as the author? Any attribute that I could use for the whole controller?

解决方案

Any attribute that I could use for the whole controller?

Yes, you could extend the Authorize attribute with a custom one:

public class AuthorizeAuthorAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {
            // the user is either not authenticated or
            // not in roles => no need to continue any further
            return false;
        }

        // get the currently logged on user
        var username = httpContext.User.Identity.Name;

        // get the id of the article that he is trying to manipulate
        // from the route data (this assumes that the id is passed as a route
        // data parameter: /foo/edit/123). If this is not the case and you 
        // are using query string parameters you could fetch the id using the Request
        var id = httpContext.Request.RequestContext.RouteData.Values["id"] as string;

        // Now that we have the current user and the id of the article he
        // is trying to manipualte all that's left is go ahead and look in 
        // our database to see if this user is the owner of the article
        return IsUserOwnerOfArticle(username, id);
    }

    private bool IsUserOwnerOfArticle(string username, string articleId)
    {
        throw new NotImplementedException();
    }
}

and then:

[HttpPost]
[AuthorizeAuthor]
public ActionResult Edit(int id)
{
    ... perform the edit
}

这篇关于MVC 3 - 针对特定用户只能访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！