Joh*_*ell 2 asp.net-mvc mvcroutehandler httpmodule asp.net-mvc-routing asp.net-mvc-3
让我留下来为我的应用程序的单个用户存储内容:
这些文件可能是这样的:
最终用户应该看到一个"友好"的网址.
http:// domain.com/files/{GUID}/bunny.jpg
该URL必须以某种方式通过控制器或httpmodule或thingIdontknow才能被授权查看该文件.这些权限可能每天都在变化,因此需要经常检查文件的权限.
从我读过的内容来看,这完全是可能的,但我不确定接下来要编码什么,或者有人在这里有任何见解.HttpModule还是Controller?我很困惑需要发生什么.
该URL必须以某种方式通过控制器或httpmodule或thingIdontknow才能被授权查看该文件.这些权限可能每天都在变化,因此需要经常检查文件的权限.
你不知道的东西有一个名字.它被称为授权操作过滤器.
首先让我们假设您已经注册了一个自定义路由来提供这些文件:
routes.MapRoute(
"MyImagesRoute",
"files/{id}/{name}",
new { controller = "Files", action = "Index" }
// TODO: you could constrain the id parameter to be a GUID.
// Just Google for a Regex that will match a GUID pattern and put here
// as route constraint
);
然后当然是一个相应的控制器为他们服务:
public class FilesController: Controller
{
public ActionResult Index(Guid guid, string name)
{
var path = @"C:\files";
var file = Path.Combine(path, guid.ToString(), name);
file = Path.GetFullPath(file);
if (!file.StartsWith(path))
{
// someone tried to be smart and send
// files/{Guid}/..\..\creditcard.pdf as parameter
throw new HttpException(403, "Forbidden");
}
// TODO: adjust the mime type based on the extension
return File(file, "image/png");
}
}
不幸的是,在这个阶段没有什么能阻止用户ALPHA请求用户BETA的文件,对吗?那是你想要处理的场景,不是吗?
因此,让我们编写一个自定义Authorize属性来保护此控制器操作:
public class MyAuthorizeAttribute: AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authorized = base.AuthorizeCore(httpContext);
if (!authorized)
{
// The user is not authenticated or doesn't have
// permissions to access this controller action
return false;
}
// at this stage we know that there's some user authenticated
// Let's get the Guid now from our route:
var routeData = httpContext.Request.RequestContext.RouteData;
var id = routeData.Values["id"] as string;
Guid guid;
if (!Guid.TryParse(id, out guid))
{
// invalid Guid => no need to continue any further, just deny access
return false;
}
// Now we've got the GUID that this user is requesting
// Let's see who this user is:
string username = httpContext.User.Identity.Name;
// and finally ensure that this user
// is actually the owner of the folder
return IsAuthorized(username, guid);
}
private bool IsAuthorized(string username, Guid guid)
{
// You know what to do here: hit your data store to verify
// that the currently authenticated username is actually
// the owner of this GUID
throw new NotImplementedException();
}
}
然后让我们用这个授权属性装饰我们的控制器动作:
public class FilesController: Controller
{
[MyAuthorize]
public ActionResult Index(Guid guid, string name)
{
// at this stage we know that the currently authenticated user
// is authorized to access the file.
var path = @"C:\files";
var file = Path.Combine(path, guid.ToString(), name);
file = Path.GetFullPath(file);
if (!file.StartsWith(path))
{
// someone tried to be smart and send
// files/{Guid}/..\..\creditcard.pdf as parameter
throw new HttpException(403, "Forbidden");
}
var file = Path.Combine(@"c:\files", guid.ToString(), name);
// TODO: adjust the mime type based on the extension
return File(file, "image/png");
}
}