如何创建自定义授权在asp.net MVC3过滤器 [英] how to create custom authorize filter in asp.net mvc3
问题描述
我有一个问题我建立在asp.net MVC3的站点,结果
在我做了我几个控制器所有的人都认可结果
因为我不希望这样的控制器,未经授权的用户访问。结果
让我们假设我有一个控制器和2个方法是如下
i have a problem i am building a site in asp.net mvc3 ,
in which i made my several controllers all of them are authorized
because i don't want that unauthorized user access that controller.
Let suppose i have a controller and 2 methods in it as following
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
namespace Com.health.Controllers
{
[Authorize]
public class MyfirstController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult seeyourDetails(int id)
{
return View();
}
}
}
现在让我们假设我们的方法 seeyourDetails
告诉任何用户自己的帐户信息,但问题是这样的,当用户访问当时这种方法的URL是 http://www.exampple.com/Myfirst/seeyourDetails/10
,其中 10
是我告诉他他目前的用户ID细节,但我应该怎么做,如果一个人登录到我的网站,他访问该网址,然后手动添加 10
或在网址中的其他一些我的控制器会告诉他所有的细节关于该用户。
now let suppose our method seeyourDetails
tells any user his account information , but the problem is this that when user access this method at that time the URL is http://www.exampple.com/Myfirst/seeyourDetails/10
, where 10
is current user id by which i show him his details , but what should i do, if a persons login into my site and he access this URL and manually add 10
or any other number in URL my controller will show him all details regarding that user .
注:我可以这样做在一个地方或两个地方,但我需要一些解决方案,我在一个地方实施和它在我的整个应用程序的影响。谢谢
Note : I can do this in one place or two places but i need some solution that i implement in one place and it effects in my whole application . Thanks
推荐答案
我看到的唯一方法是检查是否从查询字符串中的用户ID与用户ID登录相同的,这更是一个修补的东西解决方案,正确的方法是改变应用程序的工作原理。事情是这样的,你还需要修改一下。
The only way I see is to check if the user id from query string is the same with the user id logged in. This is more of a patching things solution, the proper way is to change how the app works. Something like this, you still need to modify it a bit.
[AttributeUsage(AttributeTargets.Method|AttributeTargets.Class, AllowMultiple = false)]
public class MyAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
var ctx = filterContext.HttpContext;
var name = ctx.User.Identity.Name;
//get user id from db where username= name
var urlId = Int32.Parse(ctx.Request.Params["id"]);
if (userId!=urlId)
filterContext.Result = new HttpUnauthorizedResult();
}
}
这篇关于如何创建自定义授权在asp.net MVC3过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!