允许多个角色访问控制器操作

Question

现在我装饰一个这样的方法,让"成员"访问我的控制器动作

[Authorize(Roles="members")]

如何允许多个角色？例如,以下内容不起作用,但它显示了我要做的事情(允许"成员"和"管理员"访问):

[Authorize(Roles="members", "admin")] 

Answer 1

另一种选择是在发布时使用单个授权过滤器,但删除内部引用.

[Authorize(Roles="members, admin")]

Answer 2

如果要使用自定义角色,可以执行以下操作:

CustomRoles 类:

public static class CustomRoles
{
    public const string Administrator = "Administrador";
    public const string User = "Usuario";
}

用法

[Authorize(Roles = CustomRoles.Administrator +","+ CustomRoles.User)]

如果您的角色很少,也许您可​​以将它们组合起来(为了清晰起见),如下所示:

public static class CustomRoles
{
     public const string Administrator = "Administrador";
     public const string User = "Usuario";
     public const string AdministratorOrUser = Administrator + "," + User;  
}

用法

[Authorize(Roles = CustomRoles.AdministratorOrUser)]

Answer 3

一种可能的简化是子类AuthorizeAttribute:

public class RolesAttribute : AuthorizeAttribute
{
    public RolesAttribute(params string[] roles)
    {
        Roles = String.Join(",", roles);
    }
}

用法:

[Roles("members", "admin")]

在语义上它与Jim Schmehil的答案相同.

Answer 4

对于MVC4,使用带有我的角色的Enum(UserRoles),我使用自定义AuthorizeAttribute.

在我的控制行动中,我这样做:

[CustomAuthorize(UserRoles.Admin, UserRoles.User)]
public ActionResult ChangePassword()
{
    return View();
}

我使用这样的习惯AuthorizeAttribute:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class CustomAuthorize : AuthorizeAttribute
{
    private string[] UserProfilesRequired { get; set; }

    public CustomAuthorize(params object[] userProfilesRequired)
    {
        if (userProfilesRequired.Any(p => p.GetType().BaseType != typeof(Enum)))
            throw new ArgumentException("userProfilesRequired");

        this.UserProfilesRequired = userProfilesRequired.Select(p => Enum.GetName(p.GetType(), p)).ToArray();
    }

    public override void OnAuthorization(AuthorizationContext context)
    {
        bool authorized = false;

        foreach (var role in this.UserProfilesRequired)
            if (HttpContext.Current.User.IsInRole(role))
            {
                authorized = true;
                break;
            }

        if (!authorized)
        {
            var url = new UrlHelper(context.RequestContext);
            var logonUrl = url.Action("Http", "Error", new { Id = 401, Area = "" });
            context.Result = new RedirectResult(logonUrl);

            return;
        }
    }
}

这是FabricioMartínezTamayo修改过的FNHMVC的一部分https://github.com/fabriciomrtnz/FNHMVC/

Answer 5

您可以在 Startup.cs 中使用授权策略

    services.AddAuthorization(options =>
    {
        options.AddPolicy("admin", policy => policy.RequireRole("SuperAdmin","Admin"));
        options.AddPolicy("teacher", policy => policy.RequireRole("SuperAdmin", "Admin", "Teacher"));
    });

在控制器文件中：

 [Authorize(Policy = "teacher")]
 [HttpGet("stats/{id}")]
 public async Task<IActionResult> getStudentStats(int id)
 { ... }

“教师”政策接受 3 个角色。