C# 针对不同角色的不同API功能
我有asp.net核心2.1的API。基于声明的身份验证。是否可以将这两个api函数组合在一起C# 针对不同角色的不同API功能,c#,asp.net-core,asp.net-core-2.0,C#,Asp.net Core,Asp.net Core 2.0,我有asp.net核心2.1的API。基于声明的身份验证。是否可以将这两个api函数组合在一起 [Authorize(Roles = "Admin")] [HttpPost("delete")] public IActionResult Delete([FromBody]Item item) { _itemService.Delete(item.Id); return Ok(); } [Authorize] [HttpPost("delete")] public IAction
[Authorize(Roles = "Admin")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
[Authorize]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
var id = int.Parse(User.FindFirst(ClaimTypes.NameIdentifier).Value);
if (_itemService.IsAuthor(id))
{
_itemService.Delete(item.Id);
return Ok();
}
return Forbid();
}
或者我应该检查方法中的角色吗?要检查用户是
管理员还是作者的权限,您可以将多个要求作为@user2884707bond中的文档实现
用于在您的场景中使用多个需求
您可以按照以下步骤操作:
PermissionHandler.cs
public class PermissionHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ReadPermission)
{
if (IsOwner(context.User, context.Resource) ||
IsAdmin(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
else if (requirement is EditPermission ||
requirement is DeletePermission)
{
if (IsOwner(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
}
return Task.CompletedTask;
}
private bool IsAdmin(ClaimsPrincipal user, object resource)
{
if (user.IsInRole("Admin"))
{
return true;
}
return false;
}
private bool IsOwner(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
private bool IsSponsor(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
}
- 要求
public class ReadPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class EditPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class DeletePermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
- 在
Startup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission()));
});
services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
在这里可能很有用。在这种情况下,使用带有授权处理程序的自定义策略可能是最佳选择。我想知道是否需要在需求范围内实现任何东西?或者它可以是空的?如何在IsOwner方法中使用资源参数?需要将其强制转换到其他类并访问其中的属性吗?
[Authorize(Policy = "Read")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}