C# 如何阻止已删除用户的访问?
远程用户使用需要授权的API,并成功地传递该API 创建了一个Asp核心Web API项目,我使用标识控制访问,通过UserManager.DeleteAsync删除了一个用户:C# 如何阻止已删除用户的访问?,c#,asp.net-core,C#,Asp.net Core,远程用户使用需要授权的API,并成功地传递该API 创建了一个Asp核心Web API项目,我使用标识控制访问,通过UserManager.DeleteAsync删除了一个用户: public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; } public
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSwaggerGen(options =>
{
options.SwaggerDoc("v1", new Info { Title = "API", Version = "v1" });
});
services.AddDbContext<CommonDBContext>(options => options.UseNpgsql(Configuration.GetConnectionString("PostgreSQL")));
services.AddScoped<IFamilyRepository, FamilyRepository>()
.AddScoped<IProfileRepository, ProfileRepository>();
services.AddIdentity<UserEntity, RoleEntity>(options =>
{
options.SignIn.RequireConfirmedEmail = false;
options.User.RequireUniqueEmail = true;
})
.AddUserManager<UserManagerExtensions>()
.AddEntityFrameworkStores<CommonDBContext>();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseSwagger();
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "API");
});
app.UseMiddleware<TestMiddelwwre>();
app.UseAuthentication();
app.UseMvc();
}
}
公共类启动
{
公共启动(IConfiguration配置)
{
配置=配置;
}
公共IConfiguration配置{get;}
//此方法由运行时调用。请使用此方法将服务添加到容器中。
public void配置服务(IServiceCollection服务)
{
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSwaggerGen(选项=>
{
options.SwaggerDoc(“v1”,新信息{Title=“API”,Version=“v1”});
});
services.AddDbContext(options=>options.UseNpgsql(Configuration.GetConnectionString(“PostgreSQL”));
services.AddScoped()
.addScope();
服务.附加性(选项=>
{
options.SignIn.RequireConfirmedEmail=false;
options.User.RequireUniqueEmail=true;
})
.AddUserManager()
.AddEntityFrameworkStores();
}
//此方法由运行时调用。请使用此方法配置HTTP请求管道。
公共无效配置(IApplicationBuilder应用程序,IHostingEnvironment环境)
{
if(env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseSwagger();
app.UseSwaggerUI(c=>
{
c、 SwaggerEndpoint(“/swagger/v1/swagger.json”,“API”);
});
app.UseMiddleware();
app.UseAuthentication();
app.UseMvc();
}
}
- 预期结果:已删除的用户无法使用具有
属性的操作李>[Authorize]
- 实际结果:用户成功通过身份验证和授权
ActiveUserRequirement
。它需要扩展IAuthorizationRequirement
接口
public class ActiveUserRequirement: IAuthorizationRequirement {}
然后您将需要处理程序
public class ActiveUserRequirementHandler : AuthorizationHandler<ActiveUserRequirement>
{
private readonly UserManager<IdentityUser> _userManager;
// UserManager<TUser> available via dependency injection. U can inject anything you want
public ActiveUserRequirementHandler(UserManager<IdentityUser> userManager)
{
this._userManager = userManager;
}
/// <inheritdoc />
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ActiveUserRequirement requirement)
{
var userFromDb = await _userManager.GetUserAsync(context.User);
// Check whatever qualifies as a deleted user in your usecase.
if (userFromDb != null && userFromDb.EmailConfirmed) // user exists in db, & we confirmed their email
{
context.Succeed(requirement);
}
else
{
context.Fail();
// calling .Fail() is not recommended, the framework assumes a requirement has failed automatically if no handler explicitly says it passed.
// this allows multiple requirement handlers to have their own way of determining whether a requirement has passed
}
}
}
确保在app.AddAuthentication()
之后立即调用app.useauthentication()
,以确保应用了授权中间件
也请阅读以了解更多信息。您是如何“删除”用户的?是否设置自定义标志,如IsDeleted
。。?用户模型上是否有任何字段?如果是,请将IsApproved
设置为false。
// Startup.cs
public void ConfigureServices(IServiceCollection services)
{
....
services.AddAuthorization(options =>
{
options.AddPolicy("ActiveUserPolicy", policyBuilder =>
{
policyBuilder.RequireAuthenticatedUser();
policyBuilder.AddRequirements(new ActiveUserRequirement());
});
});
services.AddSingleton<IAuthorizationHandler, ActiveUserRequirementHandler>();
}
services.AddAuthorization(options =>
{
options.DefaultPolicy =
new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddRequirements(new ActiveUserRequirement())
.Build();
}