ASP.NET MVC:我可以说[授权角色= QUOT;管理员和QUOT]在控制器类,但有一个公益行动? [英] ASP.NET MVC: Can I say [Authorize Roles="Administrators"] on the Controller class, but have one public action?
问题描述
我开始使用默认的项目的的AccountController ,但我已经扩展/改变它面目全非。然而,与原来的普通我有一个 LogOn支持和注销等的行动。
I started off using the default project's AccountController, but I've extended/changed it beyond recognition. However, in common with the original I have a LogOn and LogOff action.
显然, LogOn支持操作必须是每个人都可以访问。然而,因为我已经添加了很多其他的行动,以该控制器(用于创建和放大器;编辑用户)。我想行动的99%需要管理员角色成员
Clearly, the LogOn action must be accessible to everyone. However, since I've added lots of other actions to this controller (to create & edit users), I want 99% of the actions to require administrator role membership.
我可以装饰我的所有行动[授权角色=管理员] 但有我会忘记一个风险。我宁愿让它默认安全,通过与属性本身装潢控制器类,然后放松对我的 LogOn支持法的要求。我能做到吗?
I could decorate all my actions with [Authorize Roles="Administrators"] but there's a risk I'll forget one. I'd rather make it secure by default, by decorating the controller class itself with that attribute, and then relax the requirement on my LogOn method. Can I do that?
(如,我能做到这一点外的开箱而不创建自定义类,等等。我不希望事情超过必要的复杂性。)
(As in, can I do that out-of-the-box without creating custom classes, etc. I don't want to complicate things more than necessary.)
推荐答案
要在操作级别覆盖的控制器属性,你必须创建一个自定义属性,然后你的自定义属性的顺序属性设置为比控制器更高的价值AuthorizeAttribute。我相信,这两个属性,然后仍会执行,除非你的自定义属性生成具有如重定向直接作用的结果。
To override an controller Attribute at the Action level you have to create a custom Attribute and then set the Order property of your custom attribute to a higher value than the controller AuthorizeAttribute. I believe both attributes are then still executed unless your custom attribute generates a result with immediate effect such as redirecting.
所以我相信你的情况,你只需要添加AuthorizeAttribute上操作,而不是在控制器级别。然而,你可以创建一个单元测试,以确保所有操作(除了,登录)有一个AuthorizeAttribute
So I believe in your case you will just have to add the AuthorizeAttribute on the Actions and not at the controller level. You could however create a unit test to ensure that all Actions (apart from LogOn) have an AuthorizeAttribute
这篇关于ASP.NET MVC:我可以说[授权角色= QUOT;管理员和QUOT]在控制器类,但有一个公益行动?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
