C# 多次调用授权
我正在从事的项目是一个使用nopCommerce 2.6的intranet站点,该站点经过修改,将表单和Windows身份验证结合在一起。用户的登录方式如下所示:C# 多次调用授权,c#,asp.net-mvc-3,authentication,nopcommerce,C#,Asp.net Mvc 3,Authentication,Nopcommerce,我正在从事的项目是一个使用nopCommerce 2.6的intranet站点,该站点经过修改,将表单和Windows身份验证结合在一起。用户的登录方式如下所示: 我获取用户的Windows帐户名 我根据用户名在Nop中的Customer表上运行它 如果找到用户,且其帐户未标记为非活动或 已删除,我将其登录 如果用户不存在,我会将其发送到注册页面 如果用户未激活、已删除或未经授权进入网站, 我将它们发送到未经授权的页面 看起来很简单,但有个问题。当用户不存在时,会正确地将其抛出到注册页面。当用户
private void HandleUnauthorizedRequest(string action, AuthorizationContext filterContext)
{
var routeDictionary = new RouteValueDictionary { { "action", action }, { "controller", "Customer" } };
filterContext.Result = new RedirectToRouteResult(routeDictionary);
}
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
throw new ArgumentNullException("filterContext");
if (OutputCacheAttribute.IsChildActionCacheActive(filterContext))
throw new InvalidOperationException("You cannot use [UserAuthorize] attribute when a child action cache is active");
if (IsUserPageRequested(filterContext))
{
var userAccess = HasUserAccess(filterContext);
var action = string.Empty;
/*
* 0: User not in system
* 1: User is inactive
* 2: User is deleted
* 3: User not authorized
* 4: User is authorized
*/
switch (userAccess)
{
case 0:
action = "Register";
break;
case 1:
case 2:
case 3:
action = "Unauthorized";
break;
}
if (userAccess != 4)
this.HandleUnauthorizedRequest(action, filterContext);
}
}
public virtual int HasUserAccess(AuthorizationContext filterContext)
{
//Grab permission needed
var permissionService = EngineContext.Current.Resolve<IPermissionService>();
//Get user's Windows Authenticated account
var userAccount = string.Empty;
var userLogin = Thread.CurrentPrincipal.Identity.Name;
//Determine if user has proper permissions
var result = permissionService.NewUserAuthorize(StandardPermissionProvider.UserAccessArea, userLogin);
return result;
}
private void HandleUnauthorizedRequest(字符串操作、授权上下文筛选器上下文)
{
var routeDictionary=newRouteValueDictionary{{{“action”,action},{“controller”,“Customer”};
filterContext.Result=新的RedirectToRouteResult(routeDictionary);
}
授权时的公共无效(AuthorizationContext filterContext)
{
如果(filterContext==null)
抛出新ArgumentNullException(“filterContext”);
if(OutputCacheAttribute.IsChildActionCacheActive(filterContext))
抛出新的InvalidOperationException(“当子操作缓存处于活动状态时,不能使用[UserAuthorize]属性”);
如果(IsUserPageRequested(filterContext))
{
var userAccess=HasUserAccess(filterContext);
var action=string.Empty;
/*
*0:用户不在系统中
*1:用户处于非活动状态
*2:用户被删除
*3:用户未授权
*4:用户已授权
*/
交换机(用户访问)
{
案例0:
action=“寄存器”;
打破
案例1:
案例2:
案例3:
action=“未经授权”;
打破
}
if(userAccess!=4)
此.HandleUnauthorizedRequest(操作、筛选器上下文);
}
}
公共虚拟int HasUserAccess(AuthorizationContext filterContext)
{
//需要获得许可
var permissionService=EngineContext.Current.Resolve();
//获取用户的Windows身份验证帐户
var userAccount=string.Empty;
var userLogin=Thread.CurrentPrincipal.Identity.Name;
//确定用户是否具有适当的权限
var result=permissionService.NewUserAuthorize(StandardPermissionProvider.UserAccessArea,userLogin);
返回结果;
}
PermissionService.cs
/// <summary>
/// Authorize User
/// </summary>
/// <param name="permission">Permission Record</param>
/// <param name="userLogin">User Login</param>
/// <returns>
/// 0: User not in system
/// 1: User is inactive
/// 2: User is deleted
/// 3: User not authorized
/// 4: User is authorized
/// </returns>
public virtual int NewUserAuthorize(PermissionRecord permission, string userLogin)
{
//Find the user within Nop
var currentCustomer = _customerService.GetCustomerByUsername(userLogin);
//User not in system
if (currentCustomer == null)
return 0;
//User is set to inactive
if (!currentCustomer.Active)
return 1;
//User is deleted
if (currentCustomer.Deleted)
return 2;
//Sign user in and make them the current user
_authenticationService.SignIn(currentCustomer, true);
var authorize = Authorize(permission, currentCustomer);
return authorize ? 4 : 3;
}
//
///授权用户
///
///许可记录
///用户登录
///
///0:用户不在系统中
///1:用户处于非活动状态
///2:用户被删除
///3:用户未授权
///4:用户已授权
///
公共虚拟int NewUserAuthorize(PermissionRecord permission,string userLogin)
{
//在Nop中查找用户
var currentCustomer=\u customerService.GetCustomerByUsername(userLogin);
//用户不在系统中
如果(currentCustomer==null)
返回0;
//用户设置为非活动
如果(!currentCustomer.Active)
返回1;
//用户被删除
如果(currentCustomer.Deleted)
返回2;
//登录用户并使其成为当前用户
_authenticationService.SignIn(currentCustomer,true);
var authorize=授权(权限,当前客户);
退货授权?4:3;
}
我首先要确保您没有将CustomerController中未经授权的操作标记为授权。这是我立即想到的。事实并非如此。但是,有些加载头的方法确实有一些限制。我现在正在逐一检查,看看有多少确实需要授权。