多个相互了解的授权属性

Question

我有一个非常简单的场景.我想用自定义授权属性装饰我的控制器/操作.如果任何属性有效,则应授予授权.例如,

[MyAuth(1)]
[MyAuth(2)]
public class MyController : Controller
{
    ...
}

我无法将参数组合到单个授权属性中.以上示例仅是一个简化示例.

如果任一属性授权用户,我希望用户获得授权.我认为ActionFilterAttribute或者AuthorizeAttribute有办法看看其他过滤器已被执行并等待执行,但没有这样的运气.

我怎么能做到这一点？由于属性似乎没有任何意识,也许是HttpModule？一个习惯ControllerActionInvoker？

Answer 1

昨晚我设法让这个工作.我的解决方案如下.该属性非常标准,我已经修剪了实际的授权部分.有趣的东西发生在HasAssignedAcccessActionInvoker.

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true)]
public class RequiresAssignedAccess : AuthorizeAttribute
{
    public int AccessType { get; private set; }
    public int IdType { get; private set; }
    public int IdValue { get; private set; }
    public int Level { get; private set; }

    public RequiresAssignedAccess(int accessType, int idType, int idValue, int level)
    {
        ...
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (!base.AuthorizeCore(httpContext))
            return false;

        bool retval = ...

        return retval;
    }
}

HasAssignedAcccessActionInvoker继承自标准动作调用者,但我重写了InvokeAuthorizationFilters方法以添加我们需要的授权逻辑.标准调用者只是通过授权过滤器旋转,如果它们中的任何一个返回结果,它就会打破循环.

public class HasAssignedAcccessActionInvoker : ControllerActionInvoker
{
    protected override AuthorizationContext InvokeAuthorizationFilters(ControllerContext controllerContext, IList<IAuthorizationFilter> filters, ActionDescriptor actionDescriptor)
    {
        AuthorizationContext authCtx = new AuthorizationContext(controllerContext, actionDescriptor);

        /*
         * If any of the filters are RequiresAssignedAccess, default this to false.  One of them must authorize the user.
         */
        bool hasAccess = !filters.Any(f => f is RequiresAssignedAccess);

        foreach (IAuthorizationFilter current in filters)
        {
            /*
             * This sets authorizationContext.Result, usually to an instance of HttpUnauthorizedResult
             */
            current.OnAuthorization(authCtx);

            if (current is RequiresAssignedAccess)
            {
                if (authCtx.Result == null)
                {
                    hasAccess = true;
                }
                else if (authCtx.Result is HttpUnauthorizedResult)
                {
                    authCtx.Result = null;
                }

                continue;
            }

            if (authCtx.Result != null)
                break;
        }

        if (!hasAccess && authCtx.Result == null)
            authCtx.Result = new HttpUnauthorizedResult();

        return authCtx;
    }
}

我不得不看看MVC与ILSpy的内部结构来解决这个问题.作为参考,这是该方法的重写版本:

protected virtual AuthorizationContext InvokeAuthorizationFilters(ControllerContext controllerContext, IList<IAuthorizationFilter> filters, ActionDescriptor actionDescriptor)
{
    AuthorizationContext authorizationContext = new AuthorizationContext(controllerContext, actionDescriptor);
    foreach (IAuthorizationFilter current in filters)
    {
        current.OnAuthorization(authorizationContext);
        if (authorizationContext.Result != null)
        {
            break;
        }
    }
    return authorizationContext;
}

最后,为了连接它并使一切成为可能,我们的控制器继承BaseController,现在返回新的调用程序.

public class BaseController : Controller
{
    protected override IActionInvoker CreateActionInvoker()
    {
        return new HasAssignedAcccessActionInvoker();
    }
}