Asp.net core .netcore覆盖单个操作方法上的controllerlevel Authorized属性
在下面的controllercode中,只有“管理员”角色的用户才能访问GetData()操作方法, 因为controllerlevel属性。 但我也希望只有“管理者”角色的用户能够访问GetData()操作方法,即如何编写 这个的自定义属性Asp.net core .netcore覆盖单个操作方法上的controllerlevel Authorized属性,asp.net-core,asp.net-core-mvc,.net-core,Asp.net Core,Asp.net Core Mvc,.net Core,在下面的controllercode中,只有“管理员”角色的用户才能访问GetData()操作方法, 因为controllerlevel属性。 但我也希望只有“管理者”角色的用户能够访问GetData()操作方法,即如何编写 这个的自定义属性 [Authorize(Roles = "Administrator")] Pulic class AdminController : Controller { [Authorize(Roles = "Administrator, Manager")] p
[Authorize(Roles = "Administrator")]
Pulic class AdminController : Controller
{
[Authorize(Roles = "Administrator, Manager")]
public IActionResult GetData()
{
}
}
类级别属性总是首先被选中,因此它拒绝任何不属于正确角色的人。您需要在类级别指定最宽的访问权限,然后在需要时在方法级别将其缩小:
[Authorize(Roles = "Administrator, Manager")]
public class AdminController : Controller
{
// no attribute needed here
public IActionResult GetData()
{
}
[Authorize(Roles = "Administrator")]
public IActionResult RestrictedMethod()
{
}
}
在startup.cs文件中,按如下方式添加授权:
services.AddAuthorization(options =>
{
var roles = new List<string>{ Role.Administrator, Role.Manager};
var requirement =
new List<IAuthorizationRequirement> {new AdminManagerAuthorizationOverrideOthers(roles) };
var sharedAuthentication =
new AuthorizationPolicy(requirement,
new List<string>());
options.AddPolicy(name: "AdminManager", policy: sharedAuthentication);
options.AddPolicy(name: "Administrator", configurePolicy: policy => policy.RequireAssertion(e =>
{
if (e.Resource is AuthorizationFilterContext afc)
{
var noPolicy = afc.Filters.OfType<AuthorizeFilter>().Any(p =>
p.Policy.Requirements.Count == 1 &&
p.Policy.Requirements.Single() is AdminManagerAuthorizationOverrideOthers);
if (noPolicy)
return true;
}
return e.User.IsInRole(Role.Administrator);
}));
});
public class AdminManagerAuthorizationOverrideOthers : RolesAuthorizationRequirement
{
public AdminManagerAuthorizationOverrideOthers(IEnumerable<string> allowedRoles) : base(allowedRoles)
{
}
}
[Authorize(Policy = "Administrator")]
Public class AdminController : Controller
{
public IActionResult GetData()
{
}
[Authorize(Policy = "AdminManager")]
public IActionResult AdministratorOnly()
{
}
}
控制器中的绝大多数操作仅用于“管理员”角色,因此我正在寻找一个自定义属性,用于较少的操作属性装饰。请看,它可能提供您需要的内容,但我自己从未尝试过,我甚至不知道它是否在.NET Core中可用。该属性在.netcore中不存在。