在授权MVC顺序,优先级和功能属性的问题 [英] Authorize attribute in MVC order, priority and function question
问题描述
有东西在我的角色不完全搞定。使用 [授权] 属性
There is something in the roles I don't exactly get. using the [Authorize] attribute
当你有 [授权] 属性控制器上和行动:
When you have the [Authorize] attribute on the controller and on the action:
- 当一个角色是在这两个,这个角色将有机会获得
- 当一个作用是在控制器只定义了,但不是在行动,没有访问
- 当一个角色在动作只定义了,但不是在控制,没有访问
我得到的,这是合乎逻辑的。您需要访问控制器,然后才能执行的操作。
I get that, that's logical. You need access to the controller before you can run an action.
我没有得到什么就是为什么这个不工作:
What I dont get is why this doesnt work:
[Authorize(Roles = "Algemeen Beheer, Admin, Coordinator, Secretariaat")]
public class FacturatieGegevensController : Controller {
[Authorize(Users = "Stefan.coordinator", Roles = "Algemeen Beheer, Admin")]
public ActionResult Create(int instID) {
return View();
}
}
当我登录的用户 Stefan.coordinator 有协调,我的角色可以访问控制器,但我不能访问创建操作。
我认为这将是角色 用户之间的关系或和。是不是?以及如何得到这个工作?
When I am logged in as user Stefan.coordinator which has the role coordinator, I can access the controller, but I can not access the Create Action.
I thought this would be an OR relation between Users and Roles. Is it not? and how do I get this to work?
推荐答案
的条件以访问创建方法是:
The condition to access the Create method is:
((角色{Algemeen BEHEER,管理,
协调员Secretariaat}))的 [从控制器级] 的AND
((USER {中} Stefan.coordinator)AND
(角色{Algemeen BEHEER,管理员}))的 [从方法级别] 的
((ROLE in { Algemeen Beheer, Admin, Coordinator, Secretariaat })) [from controller-level] AND ((USER in { Stefan.coordinator }) AND (ROLE in { Algemeen Beheer, Admin })) [from method-level]
一旦所有的与运算/ OR值已经制定出来,这导致简单:
Once all the ANDs / ORs have been worked out, this results in simply:
用户{} Stefan.coordinator和作用{Algemeen BEHEER,管理员}
USER in { Stefan.coordinator } AND ROLE in { Algemeen Beheer, Admin }
这是一个特殊的AuthorizeAttribute内,用户和角色都被合并在一起。并在多个AuthorizeAttributes,条件AND运算在一起。
That is, within a particular AuthorizeAttribute, the Users and Roles are ANDed together. And across multiple AuthorizeAttributes, the conditions are ANDed together.
要想到这一点的最好办法是,[授权]属性都不知道对方的,所以每个独立执行。控制器级别的人去先,然后是方法级别的人去。要访问的方法,你需要通过所有门。
The best way to think of this is that the [Authorize] attributes are not aware of each other, so each executes independently. The controller-level one goes first, then the method-level one goes. To get access to the method, you need to pass all gates.
修改 - 有一对逻辑如何工作了,因为它上面做的问题。
Edit - there was a question on how the logic works out as it does above.
让:
A = ROLE is "Algemeen Beheer"
B = ROLE is "Admin"
C = ROLE is "Coordinator"
D = ROLE is "Secretariaat"
E = USER is "Stefan.coordinator"
由于控制器级[授权]属性为(A ||乙||Ç|| D),该方法级[授权]属性是(E&安培;&功放;(A || B)),以及多[授权]属性再由逻辑与psented $ p $,逻辑最终为(A ||乙||ç|| D)和放大器;&安培; (E&安培;&功放;(A || B)),从而降低了E&功放;&安培; (A || B),它要求用户被命名为Stefan.coordinator的和的是在Algemeen BEHEER或系统管理员的角色。由于用户Stefan.coordinator不在这两种角色,校验失败
Since the controller-level [Authorize] attribute is (A || B || C || D), the method-level [Authorize] attribute is (E && (A || B)), and multiple [Authorize] attributes are represented by a logical AND, the logic ends up as (A || B || C || D) && (E && (A || B)), which reduces to E && (A || B), which requires the user to be named "Stefan.coordinator" and to be in the "Algemeen Beheer" or "Admin" roles. Since the user Stefan.coordinator isn't in either of these two roles, the check fails.
您的特定问题。
如果您想将自己的逻辑适用于[授权]属性的检查,子类AuthorizeAttribute并覆盖AuthorizeCore方法。这样,你可以说,如果(用户==Stefan.coordinator|| base.AuthorizeCore(...)){...}
If you want to apply your own logic to the [Authorize] attribute checks, subclass AuthorizeAttribute and override the AuthorizeCore method. That way you can say if (User == "Stefan.coordinator" || base.AuthorizeCore(...)) { ... }.
这篇关于在授权MVC顺序,优先级和功能属性的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
