Aid*_*daM 3 c# asp.net asp.net-mvc authorization asp.net-mvc-4
我想根据用户的授权显示/隐藏编辑/删除链接(包括菜单项).我已经实现了AuthorizeAttribute,并为覆盖AuthorizeCore的角色检查提供了自定义逻辑.我想在检查用户是否有权查看LinkExtensions方法中的编辑/删除链接时使用该逻辑.这是我的设置:
public class AuthorizeActivity : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
}
protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
{
bool isAuthorized = base.AuthorizeCore(httpContext);
string actionType = httpContext.Request.HttpMethod;
string controller = httpContext.Request.RequestContext.RouteData.Values["controller"].ToString();
string action = httpContext.Request.RequestContext.RouteData.Values["action"].ToString();
//ADMINS
if (controller == "Admin")
{
if (httpContext.User.IsInRole(Constants.Admin))
return true;
}
else
{
//DATA READERS ONLY
if ((action == "Details") || (action == "Index"))
{
if (httpContext.User.IsInRole(Constants.DataReader))
return true;
}
//DATA WRITERS & IT
else
{
...
}
}
return false;
}
此外,我使用Vivien Chevallier的逻辑来创建此处概述的授权操作链接扩展:http://vivien-chevallier.com/Articles/create-an-authorized-action-link-extension-for-aspnet-mvc-3 现在在我看来我可以用:
<li>@Html.ActionLinkAuthorized("Admin", "Index", "Admin",false) </li>
链接将根据用户的权限显示或不显示.在我的控制器中,动作装饰有:
[AuthorizeActivity]
public ActionResult Index()
{
return View(view);
}
授权链接不起作用,除非我在属性中指定"角色",我认为这是多余的,如下所示:
[AuthorizeActivity(Roles = Constants.roleSalesContractAdmin)]
public ActionResult Index()
{
return View(view);
}
我似乎无法找到一种方法来重用AuthorizeAttribute中的逻辑.理想情况下,它会在ActionLinkAuthorized中被调用,就像Vivien所拥有的那样:
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName, RouteValueDictionary routeValues, IDictionary<string, object> htmlAttributes, bool showActionLinkAsDisabled)
{
if (htmlHelper.ActionAuthorized(actionName, controllerName)) //The call to verify here -- or inside ActionAuthorized
{
return htmlHelper.ActionLink(linkText, actionName, controllerName, routeValues, htmlAttributes);
}
else
{
if (showActionLinkAsDisabled)
{
TagBuilder tagBuilder = new TagBuilder("span");
tagBuilder.InnerHtml = linkText;
return MvcHtmlString.Create(tagBuilder.ToString());
}
else
{
return MvcHtmlString.Empty;
}
}
}
这是ActionAuthorized方法.OnAuthorization调用不会转到自定义调用
public static bool ActionAuthorized(this HtmlHelper htmlHelper, string actionName, string controllerName)
{
ControllerBase controllerBase = string.IsNullOrEmpty(controllerName) ? htmlHelper.ViewContext.Controller : htmlHelper.GetControllerByName(controllerName);
ControllerContext controllerContext = new ControllerContext(htmlHelper.ViewContext.RequestContext, controllerBase);
ControllerDescriptor controllerDescriptor = new ReflectedControllerDescriptor(controllerContext.Controller.GetType());
ActionDescriptor actionDescriptor = controllerDescriptor.FindAction(controllerContext, actionName);
if (actionDescriptor == null)
return false;
FilterInfo filters = new FilterInfo(FilterProviders.Providers.GetFilters(controllerContext, actionDescriptor));
AuthorizationContext authorizationContext = new AuthorizationContext(controllerContext, actionDescriptor);
foreach (IAuthorizationFilter authorizationFilter in filters.AuthorizationFilters)
{
authorizationFilter.OnAuthorization(authorizationContext); //This call
if (authorizationContext.Result != null)
return false;
}
return true;
}
在您看来,您可以写:
@if (User.IsInRole("role"))
{
<li>@Html.ActionLink("Words", "View", "Controller")</li>
<li>@Html.ActionLink("Words", "View", "Controller")</li>
}
...并假设他们已登录,它将有条件地隐藏链接
| 归档时间: |
|
| 查看次数: |
5854 次 |
| 最近记录: |