Authentication 将参数从控制器传递到自定义AuthorizationHandler
我正在开发一个控制器,它允许人们共享更新网站的权限。我正在尝试使用AuthorizationHandler来验证当前用户是否有权更新他们尝试更新的网站 我当前的请求和授权处理程序Authentication 将参数从控制器传递到自定义AuthorizationHandler,authentication,.net-core,authorization,Authentication,.net Core,Authorization,我正在开发一个控制器,它允许人们共享更新网站的权限。我正在尝试使用AuthorizationHandler来验证当前用户是否有权更新他们尝试更新的网站 我当前的请求和授权处理程序 public class WebsiteRequirement : IAuthorizationRequirement { public WebsiteRequirement(int websiteId) { WebsiteId = websiteId; } publi
public class WebsiteRequirement : IAuthorizationRequirement
{
public WebsiteRequirement(int websiteId)
{
WebsiteId = websiteId;
}
public int WebsiteId { get; private set; }
}
如果试图从HTTP请求传入值,则可以通过传递到处理程序()的
AuthorizationHandlerContext
上的Resource
属性访问这些值
如果您只是试图传入一些配置类型设置,那么请确保您的
AuthorizationHandler
具有生存期瞬态,并将这些值传入构造函数。因此,我看到的问题是,我并不总是具有相同的http请求结构。例:如果我使用api/websites/2
,那么websiteId是2。如果我发了一篇帖子,那么我想从website
对象中获取websiteId。在AuthorizationHandler中设置这种条件是否是一种好的做法?@ChrisHobbs我不想评论最佳做法;你当然可以这么做。。。
internal class WebsiteAuthorizationHandler : AuthorizationHandler<WebsiteRequirement>, IAuthorizationHandler
{
private readonly IWebsiteLogic _websiteLogic;
public WebsiteAuthorizationHandler(IWebsiteLogic websiteLogic)
{
_websiteLogic = websiteLogic;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, WebsiteRequirement requirement)
{
int userId = int.Parse(context.User.FindFirst(c => c.Type == "UserId").Value);
// Use the _websiteLogic to check if user has access, based on user id and website Id
if(_websiteLogic.CheckUserAccess(userId, requirement.WebsiteId)){
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
}
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("WebAuth", policy => policy.Requirements.Add(new WebsiteRequirement(1)));
});
services.AddSingleton<IAuthorizationHandler, WebsiteAuthorizationHandler>();
}
[HttpPost]
[Authorize(Policy = "WebAuth", WebsiteId=[FromBody]website.id)] // Trying to do something like this
public ActionResult<WebsiteDto> SaveWebsite([FromBody] WebsiteDto website)
{
if(_websiteLogic.CheckUserAccess(CurrentUserId, website.Id)) // My Backup Solution
{
return _websiteLogic.AddWebsite(website);
}
return new UnauthorizedResult();
}