ASP.NET MVC自定义授权

Question

ASP.NET MVC自定义授权

我对MVC中的自定义授权有疑问.

我有一个网站,我想限制访问某些页面,具体取决于他们的组成员身份.现在,我已经看到了大量关于如何执行此操作的示例,例如,如果存在单个管理组和单个用户组,而不是第三级的任何示例.

例如,只有公司的用户才能查看自己公司的订单(并且每家公司都有自己的管理员等).这些公司存储在DB中.所以我已经看到了进行自定义授权的AuthorizeCore方法,覆盖了方法AuthorizeAttribute,但我不知道如何访问传递给控制器的参数,以查看用户是否可以访问订单(例如,订单ID).

这甚至是检查的最佳位置,还是应该直接从控制器的方法处理？

Answer 1

tva*_*son 30

AuthorizationContext(OnAuthorize的参数)提供对Controller,RouteData,HttpContext等的访问.您应该能够在自定义授权过滤器中使用它们来执行您想要的操作.下面是从AuthorizeAttribute派生的RoleOrOwnerAttribute的代码示例.

public override void OnAuthorization( AuthorizationContext filterContext )
{
    if (filterContext == null)
    {
        throw new ArgumentNullException( "filterContext" );
    }

    if (AuthorizeCore( filterContext.HttpContext )) // checks roles/users
    {
        SetCachePolicy( filterContext );
    }
    else if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
    {
        // auth failed, redirect to login page
        filterContext.Result = new HttpUnauthorizedResult();
    }
    // custom check for global role or ownership
    else if (filterContext.HttpContext.User.IsInRole( "SuperUser" ) || IsOwner( filterContext ))
    {
        SetCachePolicy( filterContext );
    }
    else
    {
        ViewDataDictionary viewData = new ViewDataDictionary();
        viewData.Add( "Message", "You do not have sufficient privileges for this operation." );
        filterContext.Result = new ViewResult { MasterName = this.MasterName, ViewName = this.ViewName, ViewData = viewData };
    }

}

// helper method to determine ownership, uses factory to get data context,
// then check the specified route parameter (property on the attribute)
// corresponds to the id of the current user in the database.
private bool IsOwner( AuthorizationContext filterContext )
{
    using (IAuditableDataContextWrapper dc = this.ContextFactory.GetDataContextWrapper())
    {
        int id = -1;
        if (filterContext.RouteData.Values.ContainsKey( this.RouteParameter ))
        {
            id = Convert.ToInt32( filterContext.RouteData.Values[this.RouteParameter] );
        }

        string userName = filterContext.HttpContext.User.Identity.Name;

        return dc.Table<Participant>().Where( p => p.UserName == userName && p.ParticipantID == id ).Any();
    }
}


protected void SetCachePolicy( AuthorizationContext filterContext )
{
    // ** IMPORTANT **
    // Since we're performing authorization at the action level, the authorization code runs
    // after the output caching module. In the worst case this could allow an authorized user
    // to cause the page to be cached, then an unauthorized user would later be served the
    // cached page. We work around this by telling proxies not to cache the sensitive page,
    // then we hook our custom authorization code into the caching mechanism so that we have
    // the final say on whether a page should be served from the cache.
    HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
    cachePolicy.SetProxyMaxAge( new TimeSpan( 0 ) );
    cachePolicy.AddValidationCallback( CacheValidateHandler, null /* data */);
}

Run Code Online (Sandbox Code Playgroud)

@IDisposable - 它继承AuthorizeAttribute的行为,因此只有在您被允许作为用户或角色时才会返回缓存的响应.如果您通过关联获得访问权限,则不会获得缓存响应.它可能更加智能,但授权保护页面的主要用户是管理员.我会看到我能做些什么来为那些通过"所有权"获得访问权限的人提供缓存响应. (2认同)
@IDisposable - 同样,重要的是不要使用先前请求的上下文(因为那个被授权).我们需要使用相同的机制重新授权此请求,但需要新的请求数据. (2认同)

归档时间：	16 年，4 月前
查看次数：	17966 次
最近记录：	13 年，3 月前