使用实体框架管理实体访问权限 [英] Manage entity access and permissions with Entity Framework
问题描述
在使用Entity Framework 4.1的Web应用程序中,我们使用SQL Server成员身份来管理用户访问。然而,我们需要实现一个更精细的角色集权限管理。
在数据库中,我们已经创建了相对表:
- 角色
- 权限
- UserInRole(每个用户的角色)
- RolesPermissions(与角色关联的权限)
使用一些核心实体的属性,我们使用EF限制访问语义,例如给定一个特定的用户,他/他只能看到相对的出货订单或固有数据。
现在我们要注入其中的权限,这意味着一个客户可以查看和创建订单,而公司(这两个不同的角色)只能看到他们的产品的订单,也可以打印报告。
想法是在实体级使用属性,并检查当调用方法时当前用户是否拥有适当的权限。例如:
public void BeforeAdd()
{
//获取特定实体的必需权限(作为示例)
//检查当前用户是否有权创建新的订单
}
这样一个方法将被每个实体调用,允许集中控制实体级的权限。
我们使用MVC作为前端,在那里我们已经实现了角色和权限访问。我们需要使后端部分(包含数据层)相同。这些是通过Web服务进行通信的两个独立服务器通过在后端部分实施权限管理,将加强对数据访问的控制。
有没有任何模式或最佳实践,我们可以遵循(最终使用一些内置的功能的EF)实现权限管理?
是否有任何模式或最佳实践遵循
是的,它被称为面向方面的编程和 PostSharp 可能是最好的工具这个工作(不幸的是它不是免费的)。
但是,如果你使用MVC(你还没有提到任何东西),你可以得到你自己的版本 AuthorizeAttribut e 查询您自己的权限表,您可以简单地使用要允许的角色装饰您的操作,例如
[授权(Roles =客户,公司)]/ pre>
public ActionResult ViewOrders(...)
{
...
}
[授权(Roles =客户)]
public ActionResult CreateOrder(...)
{
...
}
In a web application using Entity Framework 4.1 we use SQL Server Membership to manage user access. However we need to implement a more granular set of roles a permission management.
In the database we have already created the relative tables:
- Roles - Permissions - UserInRole (roles per user) - RolesPermissions (permissions associated to a role)Using attributes on some of the core entities we restrict the access semantically with EF, as example, given a specific user, s/he can see only the relative shipped orders or inherent data.
Now we would like to inject the permissions in it, meaning as example that a customer can see and create orders, while a company (these are two different roles) could only see orders for their products and also print reports.
The idea would be to use attributes also for permissions at entity level and check if the current user owns proper rights when a method is invoked. For instance:
public void BeforeAdd() { // Get required permissions for the specific entity (Order as example) //Check that current user has permission of creating a new Order }Such a method would be called by each entity, allowing to centralize the control over permissions at entity level.
We use MVC as frontend and in there we have already implemented roles and permissions access. We need to make the same with the backend part (containing data layer). These are two separate servers communicating via web services. By implementing permission management on the back end part would strengthen the control over data access.
Is there any pattern or best practice that we could follow (eventually using some built in features of EF) to achieve permissions management?
解决方案Is there any pattern or best practice that we could follow
Yes, it's called Aspect-Oriented Programming and PostSharp is probably the best tool for the job (unfortunately it's not free).
However, if you are using MVC (you haven't mentioned anything as such yet) you could derive your own version of the AuthorizeAttribute to query your own permission tables and you can simply decorate your actions with the roles you want to allow e.g.
[Authorize(Roles="Customer, Company")] public ActionResult ViewOrders(...) { ... } [Authorize(Roles="Customer")] public ActionResult CreateOrder(...) { ... }
这篇关于使用实体框架管理实体访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
