在MVC3角色管理 [英] Role Management in MVC3

问题描述

我想将功能添加到应用程序，只有管理员可以创建用户，他可以访问特定页面的用户。

I want to add a functionality to application such that only admin can create users and he can provide access to particular pages to user.

他可以创建角色，并能为用户提供不同的角色。

He can create roles and can provide users different roles.

我使用Visual Studio 2010和建设MVC3这个应用程序。

I am using Visual Studio 2010 and building this application in MVC3.

请给我建议，让过去。

先谢谢了。

推荐答案

1.Decorate用户创建和权限设置与授权属性行动
（通知，即AuthorizeAttribute的角色属性的使用需要实现的MembershipProvider（非标准的或定制的），并在web.config中注册吧）

1.Decorate your user creation and permission setting actions with Authorize attribute (Notify, that usage of Roles property of AuthorizeAttribute requires implementation of MembershipProvider (standart or custom) and registering it in web.config)

public class AccountController : Controller
{
[HttpGet, Authorize(Roles = "Admin")]
public ViewResult CreateUser()
{
    return View();
}

[HttpPost, Authorize(Roles = "Admin")]
public ActionResult CreateUser()
{
    //... call service method to create user
}

[HttpPost, Authorize(Roles = "Admin")]
public ActionResult AssignPageToUser(int userId, string controllerName, string ActionName)
{
    //... insert record into table (UserPermissions) with attributes (userId, actionName, controllerName)
    }
// other methods without decoration by authorize attribute
}

接下来的段落是正确的，如果你真的想单独对行动的权限完全控制每个用户。
如果你觉得，你的权限可以在角色有限的少数群体 - 你可以装饰通过授权属性的所有操作/控制器和指定的角色，为此，操作/控制器可供选择： [授权（客户，经理RegionalAdmin）] ，并给管理员可能性角色分配给用户。但要记住，在足以在只列出的角色1以访问，你不能用这个属性要求，例如和Admin和经理角色。
如果您想一定需要1个多角色，使用多个属性：

Next paragraphs are correct if you really want to have full control on action permissions separately for each user. If you think, that your permissions can group in finite and small number on roles - you can decorate all actions/controllers by authorize attribute and specify roles, for which action/controller available: [Authorize("Customer, Manager, RegionalAdmin")] and give admin possibility to assign roles to users. But remember, that in is enough to be in only 1 of listed roles to get access, you can't require by this attribute, for example and Admin, and Manager roles. If you want to require necessarily more than 1 role, use multiple attributes:

public class MyController:Controller
{
[Authorize(Roles = "Manager")]
[Authorize(Roles = "Admin")]
public ActionResult Action1()
{
//...
}
}

2.对于你的页面，你可以创建自己的筛选器属性，从授权属性继承，这将检查，如果操作可供用户（我想你要分配的行动而不是观点用户）。

2.For your pages you can create your own filter attribute, inherited from authorize attribute, that will check, if action is available for user (i think you want to assign actions but not views to user).

public UserPermissionRequiredAttribute: AuthorizeAttribute
{
public OnAuthorization(AuthorizationContext filterContext)
{
var isAuthenticated = filterContext.HttpContext.User.Identity.IsAuthenticated;
var userName = filterContext.HttpContext.User.Identity.Name;
var actionName = filterContext.ActionDescriptior.ActionName;
var controllerName = filterContext.ActionDescriptior.ControllerDescriptor.ControllerName;
    if (isAuthenticated && myUserActionPermissionsService.UserCanAccessAction(userName, actionName, contollerName)
{
filterContext.Result = HttpUnauthorizedResult(); // aborts action executing
}
}
}

3.Decorate动作（控制器），即由管理员授予用户访问：

3.Decorate actions (controllers), that accessible for users granted by admin:

MySpecialController: Controller
{
[UserPermissionRequired]
Action1()
{
//...
}

[UserPermissionRequired]
Action2()
{
//...
}

Action3()
{
//...
}

}

我不建议使用基本控制器为目标，因为属性的使用更加灵活（你的行动/控制器级别，而不是仅仅控制电平控制），它是落实责任分开更好的办法。基本控制器和过滤器属性的使用相关的多态性和交换运算符。

I don't recommend to use base controller for that aim, because attribute usage is more flexible (you have control on action/controller level instead of only controller level), it is better way to implement separated responsibility. Base controller and filter attribute usage correlated as polymorphism and switch operator.

这篇关于在MVC3角色管理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！