如何使用授权的控制器和操作水平两个属性？ [英] How to use the Authorize attribute both at the controller and action level?

问题描述

我已经实现了我自己的自定义授权属性。

I have implemented my own custom Authorize attribute.

属性是在控制器级别和操作级别应用两者。

The attribute is applied both at the controller level and at the action level.

下面是什么，我需要做的一个例子：

Here is an example of what I need to do:

[ClaimsAuthorize(Roles = "AdvancedUsers")]
public class SecurityController : Controller
{
    [ClaimsAuthorize(Roles = "Administrators")]
    public ActionResult AdministrativeTask()
    {
        return View();
    }

    public ActionResult SomeOtherAction()
    {
        return View();
    }
}

目前，如果用户拥有管理员角色，但不是AdvancedUsers角色，他就不能执行管理任务。

Currently if a user has the Administrator Role but not the AdvancedUsers role, he cannot execute "Administrative Task".

我怎样才能改变这种行为，在行动层面进行安全检查，即使用户没有在控制器级别授权？

How can I change this behavior to perform a security check at the action level even if the user is not authorized at the controller level?

有关的那一刻，我能想到的唯一的办法就是实现两个属性：一个用于保护控制器，另一个为确保行动。然后，我将与Order属性发挥到执行一个在行动水平第一。

For the moment, the only solution I can think about is to implement 2 attributes: one for securing controllers, another for securing actions. Then I would play with the Order property to execute the one at the action level first.

不过，我想preFER一个单一属性如果可能的解决方案。

However, I would prefer a solution with a single attribute if possible.

推荐答案

要限制让您只需使用授权属性上处理这些动作方法的具体行动。
当您标记的操作方法与授权属性，获得该操作方法仅限于谁都是经过身份验证和授权的用户。

To make specific actions restricted you simply use the Authorize-attribute on the methods that handle these actions. When you mark an action method with the Authorize attribute, access to that action method is restricted to users who are both authenticated and authorized.

     //[ClaimsAuthorize(Roles = "AdvancedUsers")]
     public class SecurityController : Controller
     {

        {
        [ClaimsAuthorize(Roles ="Administrators", "Role2","Role3")]
        public ActionResult AdministrativeTask()
        {
            return View();
        }
    }

或者你可以在控制器级别覆盖您的授权，
创建一个新的 OverrideAuthorizeAttribute 属性。

public class OverrideAuthorizeAttribute : AuthorizeAttribute {
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);
    }
}

，你可以使用这个属性来覆盖你的控制器级autorization。

and you can use this attribute to override your controller level autorization.

[ClaimsAuthorize(Roles = "AdvancedUsers")]
public class SecurityController : Controller
{
    [ClaimsAuthorize(Roles = "Administrators")]
    public ActionResult AdministrativeTask()
    {
        return View();
    }
     [OverrideAuthorizeAttribute(Roles ="xxxx")] // This role will override controller                   
                                                  //level authorization 
    public ActionResult SomeOtherAction()
    {
        return View();
    }
}

这篇关于如何使用授权的控制器和操作水平两个属性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！