Asp.net web api 获取授权筛选器中的api控制器构造函数值
当用户通过身份验证时,我希望防止他更新/删除/读取从其他帐户创建的数据。。。告诉他你没有许可403 获取ISchoolyearService实例以调用其HasUserPermission()方法的最佳方法是什么 我知道我可以在这里更新SchoolyearService,但这将彻底打破在我的应用程序中使用IoContainer的理由Asp.net web api 获取授权筛选器中的api控制器构造函数值,asp.net-web-api,authorize-attribute,asp.net-web-api2,Asp.net Web Api,Authorize Attribute,Asp.net Web Api2,当用户通过身份验证时,我希望防止他更新/删除/读取从其他帐户创建的数据。。。告诉他你没有许可403 获取ISchoolyearService实例以调用其HasUserPermission()方法的最佳方法是什么 我知道我可以在这里更新SchoolyearService,但这将彻底打破在我的应用程序中使用IoContainer的理由 public class UserActionsSchoolyearAuthorizationFilter : AuthorizationFilterAttribut
public class UserActionsSchoolyearAuthorizationFilter : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if (actionContext != null)
{
bool canUserExecuteAction = false;
if (actionContext.Request.Method == HttpMethod.Put)
{
int schoolyearId = Convert.ToInt32(actionContext.Request.GetRouteData().Values["Id"]);
int userId = actionContext.Request.Content.ReadAsAsync<SchoolyearEditRequest>().Result.Schoolyear.UserId;
//var schoolyearService = actionContext.ControllerContext.Controller.GetContstructorParameterServiceInstance();
//canUserExecuteAction = schoolyearService.HasUserPermission(userId, schoolyearId);
if (canUserExecuteAction)
{
base.OnAuthorization(actionContext);
}
else
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
}
}
// Removed for brevity
private readonly ISchoolyearService _service;
public SchoolyearController(ISchoolyearService service)
{
_service = service;
}
公共类UserActionsChoolyEArAuthorizationFilter:AuthorizationFilterAttribute
{
授权时的公共覆盖无效(HttpActionContext actionContext)
{
if(actionContext!=null)
{
bool canUserExecuteAction=false;
if(actionContext.Request.Method==HttpMethod.Put)
{
int schoolyearId=Convert.ToInt32(actionContext.Request.GetRouteData().Values[“Id”]);
int userId=actionContext.Request.Content.ReadAsAsync().Result.Schoolyear.userId;
//var schoolyearService=actionContext.ControllerContext.Controller.GetConstructorParameterServiceInstance();
//canUserExecuteAction=schoolyearService.HasUserPermission(用户ID,schoolyearId);
if(canUserExecuteAction)
{
基于授权(actionContext);
}
其他的
{
actionContext.Response=新的HttpResponseMessage(HttpStatusCode.Forbidden);
}
}
//为简洁起见,请删除
私有只读是学校的EARSERVICE\u服务;
公共学年控制员(ISchoolyearService服务)
{
_服务=服务;
}
var schoolyearController = actionContext.ControllerContext.Controller as SchoolyearController;
canUserExecuteAction = schoolyearController._service.HasUserPermission(userId, schoolyearId);
好的,最后我找到了如何从当前请求获取ISchoolyearService的方法: 从DependencyScope中获取已注册的服务 现在这个属性应该直接放在控制器上,不需要把它放在操作上,因为我在http谓词上使用if/else
bool canUserExecuteAction = false;
if (actionContext.Request.Method == HttpMethod.Put)
{
int targetId = Convert.ToInt32(actionContext.Request.GetRouteData().Values["Id"]);
int userId = actionContext.Request.Content.ReadAsAsync<SchoolyearEditRequest>().Result.Schoolyear.UserId;
var requstScope = actionContext.ControllerContext.Request.GetDependencyScope();
var service = requstScope.GetService(typeof(ISchoolyearService)) as ISchoolyearService;
canUserExecuteAction = service.HasUserPermission(userId, targetId);
if (canUserExecuteAction)
{
base.OnAuthorization(actionContext);
}
else
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
}
}
bool canUserExecuteAction=false;
if(actionContext.Request.Method==HttpMethod.Put)
{
int-targetId=Convert.ToInt32(actionContext.Request.GetRouteData().Values[“Id”]);
int userId=actionContext.Request.Content.ReadAsAsync().Result.Schoolyear.userId;
var requstScope=actionContext.ControllerContext.Request.GetDependencyScope();
var service=requstScope.GetService(typeof(ISchoolyearService))作为ISchoolyearService;
canUserExecuteAction=service.HasUserPermission(userId,targetId);
if(canUserExecuteAction)
{
基于授权(actionContext);
}
其他的
{
actionContext.Response=新的HttpResponseMessage(HttpStatusCode.Forbidden);
}
}