Asp.net mvc 自定义用户级别和权限MVC
每当调用GET或POST来创建或编辑文章页面时,我希望使用以下方法:Asp.net mvc 自定义用户级别和权限MVC,asp.net-mvc,vb.net,asp.net-mvc-3,Asp.net Mvc,Vb.net,Asp.net Mvc 3,每当调用GET或POST来创建或编辑文章页面时,我希望使用以下方法: ' userId = ID or username of the user logged in ' companyId = ID or name of the company for which the current blog is assigned ' blogId = ID or name of the blog for which the article is being written ' returnSuccess
' userId = ID or username of the user logged in
' companyId = ID or name of the company for which the current blog is assigned
' blogId = ID or name of the blog for which the article is being written
' returnSuccessView = the view that will be returned if the user has access
' returnFailView = the view that will be returned if the user does not have access
return View(CheckUserAccess(userId, companyId, blogId, returnSuccessView, returnFailView))
有人能告诉我这个函数是什么样子的吗?我的结构是:
公司->博客->文章->评论
我想创建权限,以便只有属于特定公司、属于特定博客且具有特定权限的用户才能执行请求的任务
例如,我的用户模型将有一个用户可以关联到的公司的ICollection,他们可以有一个可以关联到的博客的ICollection。他们还可以拥有一个ICollection权限,如超级用户、文章作者、文章编辑、版主等
我将为权限创建一个单独的模型,以便可以通过UI添加和删除权限
该函数应检查请求的公司、博客和权限是否与用户关联的(在其ICollection中的)权限匹配
做这样的事情最好的方法是什么?谢谢。我建议您使用自定义的
[Authorize]
属性来处理此问题。让我们举一个例子:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authorized = base.AuthorizeCore(httpContext);
if (!authorized)
{
// The user is not even authenticated => we can't get much further
return false;
}
// At this stage we know that there's an authneticated user
// let's see who he is by fecthing his username
string username = httpContext.User.Identity.Name;
RouteData rd = httpContext.Request.RequestContext.RouteData;
// Now, let's read the companyId and blogId parameters that he sent
// into the request and ensure that he is not cheating on us
string companyId = rd.Values["companyId"] as string;
string blogId = rd.Values["blogId"] as string;
if (string.IsNullOrEmpty(companyId) || string.IsNullOrEmpty(blogId))
{
// One of the required parameters were not supplied when the action was invoked
// => we can't get much further
return false;
}
return IsOwner(username, companyId, blogId);
}
private bool IsOwner(string username, string companyId, string blogId)
{
// TODO: you know what to do here:
// check with your data store or wherever you have stored this info
throw new NotImplementedException();
}
}
现在,您可以使用以下属性装饰控制器/操作:
[MyAuthorize]
public ActionResult Edit(string companyId, string blogId)
{
// if we got that far it means that the user is authorized to edit this blog post
// and we could allow him to see the edit view
EditViewModel model = ...
return View(model);
}
[MyAuthorize]
[HttpPost]
public ActionResult Edit(EditViewModel model)
{
// if we got that far it means that the user is authorized to edit this blog post
// and we could go ahead and perform the necessary update
....
}
当然,为了确保用户没有试图在POST操作中欺骗您,您也可以使用以下属性对其进行修饰:
[MyAuthorize]
public ActionResult Edit(string companyId, string blogId)
{
// if we got that far it means that the user is authorized to edit this blog post
// and we could allow him to see the edit view
EditViewModel model = ...
return View(model);
}
[MyAuthorize]
[HttpPost]
public ActionResult Edit(EditViewModel model)
{
// if we got that far it means that the user is authorized to edit this blog post
// and we could go ahead and perform the necessary update
....
}
这很有见地。然而,我不知道如何为IsOwner创建该部件(这实际上是我在问题中提出的问题)。如果我的用户模型中有一个ICollection,它存储了所有用户的关联公司,那么我如何检查被请求公司的ICollection?哦,这是一些数据库或任何你正在使用的特定问题。这与ASP.NET MVC 3完全无关,而您最初的问题就是关于ASP.NET MVC 3的。在我的回答中,我向您展示了如何编写自定义授权属性,允许您读取RouteData参数并检索当前连接的用户名。您将如何验证用户是否属于博客或公司,或者我不知道什么将完全取决于您的实现。因此,我建议您启动一个新线程,解释您正在使用的数据访问技术(我猜是EF),显示您的DB模式。。。。。。问一个关于如何执行给定SQL或任何查询的非常具体的问题。我在问题中多次特别提到ICollection,问“有人能告诉我这个函数是什么样子的吗?”我是否应该为此提出一个新问题?我不想创建一个重复的。。。我觉得我问的是我的确切意思,但仍然不知道怎么做。我理解你的意思。然后,我将尝试针对我正在使用的实体框架发布一个新问题。不过,如果你能在这里回答这个问题,这将是有益的,因为这基本上是我问的同一个问题。