基于权限的授权.Net标识 [英] Permission based authorization .net identity

问题描述

我是.NET、MVC&；Identity Framework的新手。我注意到身份框架允许通过注释保护各个控制器操作。

[Authorize]
public ActionResult Edit(int? Id){
    //edit action
}

我希望根据用户权限保护某些操作。

示例：只有创建博客帖子的用户才能编辑的博客应用程序。

考虑到这一点，是否可以执行以下任一选项？如果是，是否有关于如何最好地实现目标的资源和示例？

[Authorize(Entity = "Entry", Permission = "Edit", Id = Id)]
public ActionResult Edit(int? Id){
    //edit action
}

或

[BlogEntryPermission(Permission = "Edit", Id = Id)]
public ActionResult Edit(int? Id){
    //edit action
}

其中从请求捕获博客Id。

关于基于许可的认证的任何信息或指示都将不胜感激。提前感谢您的帮助。

推荐答案

您可以实现自定义AuthorizationAttribute，您将在其中指定参数并可以从请求中获取blogId

public class AuthorizeEntryPermission : AuthorizeAttribute
{
        public string Permission { get; set; }

        public AuthorizeEntryPermission(){
        }

        public AuthorizeEntryPermission(string Permission)
        {
            this.Permission = Permission;
        }

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
             var id = context.Request.RequestContext.RouteData.Values["Id"];
             //check your permissions
        }

        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            if (AuthorizeCore(filterContext.HttpContext))
            {
                // ** IMPORTANT **
                // Since we're performing authorization at the action level, the authorization code runs
                // after the output caching module. In the worst case this could allow an authorized user
                // to cause the page to be cached, then an unauthorized user would later be served the
                // cached page. We work around this by telling proxies not to cache the sensitive page,
                // then we hook our custom authorization code into the caching mechanism so that we have
                // the final say on whether a page should be served from the cache.

                HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
                cachePolicy.SetProxyMaxAge(new TimeSpan(0));
                cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
            }
            else
            {
                //handle no permission
            }
        }

        private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
        {
            validationStatus = OnCacheAuthorization(new HttpContextWrapper(context));
        }
    }

然后这样使用：

[AuthorizeEntryPermission(Permission = "Edit")]
public ActionResult Edit(int? Id){
    //edit action
}

这篇关于基于权限的授权.Net标识的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！