ASP.NET MVC:[授权]的对面

问题描述 投票:6回答:4

授权过滤器允许您指定可以访问控制器或操作的用户组:

[Authorize(Roles="Administrator")]
public class HomeController : Controller
{
    // code
}

我想知道是否可以指定一组无法访问控制器或操作的用户。

asp.net-mvc authorization
4个回答
5
投票

我在twk的建议之后尝试创建自己的AuthorizationAttribute:

public class Restrict : AuthorizeAttribute
{
    private readonly string _role;

    public Restrict(string role)
    {
        _role = role;
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null)
            throw new ArgumentNullException("httpContext");

        if (httpContext.User.IsInRole(_role))
            return false;

        return true;
    }
}

我像这样使用它:

[Restrict("Administrator")]
public class HomeController : Controller
{
    // code
}

我不确定这是否是正确的做法,但确实能胜任。

1
投票

您应该准备自己的ActionFilter来实现这种功能。默认情况下,有一个拒绝所有内容的规则,但是允许由“授权”操作过滤器定义(如您所知)。

可以找到一些灵感there

1
投票

基于ajbeaven's answer,我设法将其扩展到角色列表,而不是一个角色。

首先是限制类:

public class Restrict : AuthorizeAttribute {
    private List<string> _roles;
    public string Roles {
        get {
            string roles = "";
            if (_roles != null && _roles.Count > 0) {
                int counter = 0;
                foreach (string role in _roles) {
                    counter++;
                    if (counter == _roles.Count) {
                        roles = role;
                    } else {
                        roles += role + ",";
                    }
                }
            }
            return roles;
        }
        set {
            _roles = new List<string>();
            string[] roles = value.Split(',');
            foreach (string role in roles) {
                _roles.Add(role);
            }
        }
    }

    public Restrict() {
        _roles = new List<string>();
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext) {
        bool result = true;
        if (httpContext == null) {
            throw new ArgumentNullException("httpContext");
        }
        foreach (string role in _roles) {
            if (httpContext.User.IsInRole(role)) {
                result = false;
                break;
            }
        }
        return result;
    }
}

然后添加AppRoles类以使整个解决方案可重用:

public static class AppRoles {
    public const string Role1 = "Role1";
    public const string Role2 = "Role2";
}

用法:

[Authorize]
[Restrict(Roles = AppRoles.Role1 + "," + AppRoles.Role2)]
    public ActionResult Index() {
    return View();
}
0
投票

仅限制课程:

public class Restrict : AuthorizeAttribute
    {
        public string RestrictedRoles;

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {          
            if (!String.IsNullOrEmpty(RestrictedRoles))
            {
                var roles = RestrictedRoles.Split(',').Select(r => r.Trim());
                foreach (var role in roles)
                {
                    if (httpContext.User.IsInRole(role))
                        return false;
                }
            }

            return true;
        }
    }

用法

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.