C# 如何控制用户对实体的读/写访问?
我有一个基于dotnet core+entityframework core、identity server和MS SQL server作为数据库构建的web应用程序(前端为Angular 2)。我已经用角色实现了用户身份验证。现在我正在使用Authorize属性来控制对应用程序不同部分的访问。这里有一个api函数示例,可用于3种不同的角色:C# 如何控制用户对实体的读/写访问?,c#,.net,entity-framework,authorization,C#,.net,Entity Framework,Authorization,我有一个基于dotnet core+entityframework core、identity server和MS SQL server作为数据库构建的web应用程序(前端为Angular 2)。我已经用角色实现了用户身份验证。现在我正在使用Authorize属性来控制对应用程序不同部分的访问。这里有一个api函数示例,可用于3种不同的角色: [Authorize(Roles = "ProductAdministrator, WebEditor, Manager")] public IActio
[Authorize(Roles = "ProductAdministrator, WebEditor, Manager")]
public IActionResult Get()
{
IList<Product> products = _service.GetProducts();
return Ok(products);
}
var carProduct2 = new Product() {
Name = "Ford Fiesta",
Category = "Car",
Price = 15000,
Roles = ["ProductAdministrator", "CarDealer", "FordExpert", "CarWorkshop"]
};
你现在大概明白了。如何最好地从控制路由级别到对象级别的访问?有没有关于这方面的文字(我的谷歌搜索结果不佳)?将权限概念从
产品中抽象出来。以后您可能还希望将权限应用于其他对象
public interface IPermissionProtected
{
string[] AllowedGroups { get; }
}
产品
是允许的实体
public class Product : IPermissionProtected
{
...
public Product(..., string[] allowedGroups)
{
this.AllowedGroups = allowedGroups;
}
public string[] AllowedGroups { get; private set;}
}
可能在创建产品时指定了权限。没有什么可以阻止您以后更改这些权限
var carProduct1 = new Product(new [] {"CarSeller", "ProductAdministrator", "Insurance", "VolvoExpert"}) {
Name = "Volvo XE 90",
Category = "Car",
Price = 51.600
};
您可以允许任何人访问产品
控制器。从这一点上说,我不清楚您到底想怎么做,但例如,您可以只返回当前用户有权限的产品
public IActionResult Get()
{
IList<Product> products = _service.GetProducts(currentUserRole);
return Ok(products);
}
public class Service
{
public IList<Product> GetProducts(string currentUserRole)
{
// compare against Product's AllowedGroups
return this.dataRepo.Products.Where(product => product.AllowedGroups.Contains(currentUserRole)).ToList();
}
public Product GetProduct(int productId, string currentUserRole)
{
// compare against Product's AllowedGroups
var product = this.dataRepo.Products.FirstOrDefault(product => product.Id == productId);
if (!product.AllowedGroups.Contains(currentUserRole))
{
throw new AuthorizationException("{0} not allowed on {1}", currentUserRole, product.Name);
}
}
}
您可以修改服务
以向您提供用户有权使用的产品
public IActionResult Get()
{
IList<Product> products = _service.GetProducts(currentUserRole);
return Ok(products);
}
public class Service
{
public IList<Product> GetProducts(string currentUserRole)
{
// compare against Product's AllowedGroups
return this.dataRepo.Products.Where(product => product.AllowedGroups.Contains(currentUserRole)).ToList();
}
public Product GetProduct(int productId, string currentUserRole)
{
// compare against Product's AllowedGroups
var product = this.dataRepo.Products.FirstOrDefault(product => product.Id == productId);
if (!product.AllowedGroups.Contains(currentUserRole))
{
throw new AuthorizationException("{0} not allowed on {1}", currentUserRole, product.Name);
}
}
}
公共类服务
{
公共IList GetProducts(字符串currentUserRole)
{
//与产品的AlloweGroup进行比较
返回此.dataRepo.Products.Where(product=>product.alloweGroups.Contains(currentUserRole)).ToList();
}
公共产品GetProduct(int-productId,字符串currentUserRole)
{
//与产品的AlloweGroup进行比较
var product=this.dataRepo.Products.FirstOrDefault(product=>product.Id==productId);
如果(!product.alloweGroups.Contains(currentUserRole))
{
抛出新的AuthorizationException({1}上不允许有{0}),currentUserRole,product.Name);
}
}
}
将权限概念从产品中抽象出来。以后您可能还希望将权限应用于其他对象
public interface IPermissionProtected
{
string[] AllowedGroups { get; }
}
产品
是允许的实体
public class Product : IPermissionProtected
{
...
public Product(..., string[] allowedGroups)
{
this.AllowedGroups = allowedGroups;
}
public string[] AllowedGroups { get; private set;}
}
可能在创建产品时指定了权限。没有什么可以阻止您以后更改这些权限
var carProduct1 = new Product(new [] {"CarSeller", "ProductAdministrator", "Insurance", "VolvoExpert"}) {
Name = "Volvo XE 90",
Category = "Car",
Price = 51.600
};
您可以允许任何人访问产品
控制器。从这一点上说,我不清楚您到底想怎么做,但例如,您可以只返回当前用户有权限的产品
public IActionResult Get()
{
IList<Product> products = _service.GetProducts(currentUserRole);
return Ok(products);
}
public class Service
{
public IList<Product> GetProducts(string currentUserRole)
{
// compare against Product's AllowedGroups
return this.dataRepo.Products.Where(product => product.AllowedGroups.Contains(currentUserRole)).ToList();
}
public Product GetProduct(int productId, string currentUserRole)
{
// compare against Product's AllowedGroups
var product = this.dataRepo.Products.FirstOrDefault(product => product.Id == productId);
if (!product.AllowedGroups.Contains(currentUserRole))
{
throw new AuthorizationException("{0} not allowed on {1}", currentUserRole, product.Name);
}
}
}
您可以修改服务
以向您提供用户有权使用的产品
public IActionResult Get()
{
IList<Product> products = _service.GetProducts(currentUserRole);
return Ok(products);
}
public class Service
{
public IList<Product> GetProducts(string currentUserRole)
{
// compare against Product's AllowedGroups
return this.dataRepo.Products.Where(product => product.AllowedGroups.Contains(currentUserRole)).ToList();
}
public Product GetProduct(int productId, string currentUserRole)
{
// compare against Product's AllowedGroups
var product = this.dataRepo.Products.FirstOrDefault(product => product.Id == productId);
if (!product.AllowedGroups.Contains(currentUserRole))
{
throw new AuthorizationException("{0} not allowed on {1}", currentUserRole, product.Name);
}
}
}
公共类服务
{
公共IList GetProducts(字符串currentUserRole)
{
//与产品的AlloweGroup进行比较
返回此.dataRepo.Products.Where(product=>product.alloweGroups.Contains(currentUserRole)).ToList();
}
公共产品GetProduct(int-productId,字符串currentUserRole)
{
//与产品的AlloweGroup进行比较
var product=this.dataRepo.Products.FirstOrDefault(product=>product.Id==productId);
如果(!product.alloweGroups.Contains(currentUserRole))
{
抛出新的AuthorizationException({1}上不允许有{0}),currentUserRole,product.Name);
}
}
}