C# 身份3 MVC 6中的授权策略
我做了很多研究,但仍然不确定我是否做得正确。 我找到的最好的资源就在这里 给定一个扩展为包含授权帐号列表的ApplicationUser类,我想限制用户仅查看基于其授权帐号的对账单(和其他操作)。我认为这是一个非常常见的设计,但是网上的大多数文章都提到了以前版本的identity (PS我正在控制器构造函数中注入UserManager) 这是我的行动C# 身份3 MVC 6中的授权策略,c#,asp.net-mvc,asp.net-identity,C#,Asp.net Mvc,Asp.net Identity,我做了很多研究,但仍然不确定我是否做得正确。 我找到的最好的资源就在这里 给定一个扩展为包含授权帐号列表的ApplicationUser类,我想限制用户仅查看基于其授权帐号的对账单(和其他操作)。我认为这是一个非常常见的设计,但是网上的大多数文章都提到了以前版本的identity (PS我正在控制器构造函数中注入UserManager) 这是我的行动 public IActionResult GetStatement(int accountNo,DateTime startDate,DateT
public IActionResult GetStatement(int accountNo,DateTime startDate,DateTime endDate)
{
var user = userManager.Users
.Include(u => u.AuthorisedAccounts)
.Where(u => u.Id == User.GetUserId())
.FirstOrDefault();
if (user.AuthorisedAccounts != null)
{
foreach (var account in user.AuthorisedAccounts)
{
if (account.AccountNo == accountNo)
return View(statementService.GetStatement(accountNo, startDate, endDate, 0));
}
}
return HttpUnauthorized();
}
任何关于采取何种方法的提示。在本例中,您将使用基于资源的方法,帐户就是资源。这方面的文档位于 首先,您需要定义一个Read操作
public static class Operations
{
public static OperationAuthorizationRequirement Read =
new OperationAuthorizationRequirement { Name = "Read" };
}
public class AccountAuthorizationHandler : AuthorizationHandler<
OperationAuthorizationRequirement, Account>
{
IUserManager _userManager;
public AccountAuthorizationHandler(IUserManager userManager)
{
_userManager = userManager;
}
protected override void Handle(AuthorizationContext context,
OperationAuthorizationRequirement requirement,
Account resource)
{
// Pull the user ID claim out from the context.User
var userId = context.User.....
// Get the current user's account numbers.
var user = userManager.Users
.Include(u => u.AuthorisedAccounts)
.Where(u => u.Id == userId)
.FirstOrDefault();
}
// Now check if the user's account numbers match the resource accountNumber, and
// also check the operation type, in case you want to vary based on create, view etc.
if (user.AuthorisedAccounts.Contains(resource.AccountId &&
requirement.Name == "View")
{
context.Succeed(requirement);
}
}
public async Task<IActionResult> View(int accountId)
{
Account account = accountManager.Find(accountId);
if (account == null)
{
return new HttpNotFoundResult();
}
if (await _authorizationService.AuthorizeAsync(User, account, Operations.Read))
{
return View(account);
}
else
{
return new ChallengeResult();
}
}
公共异步任务视图(int accountId)
{
Account=accountManager.Find(accountId);
如果(帐户==null)
{
返回新的HttpNotFoundResult();
}
if(wait_authorizationService.authorizationAsync(用户、帐户、操作.读取))
{
返回视图(帐户);
}
其他的
{
返回新的ChallengeResult();
}
}
[Authorize]@blowdart在控制器操作中使用
IAAuthorizationServiceIAuthorizationService服务.AddInstance(newauthorization.AccountAuthorizationHandler())有问题如果不通过usermanager,我似乎无法实例化它。但我认为授权处理程序对其自己的DI进行了排序?UserManager使用DbContext时是否对Singleton安全?好的,我仍然被卡住了-IAuthorizationHandler只包含句柄而不包含AuthorizationAsync。我已经发送了一封关于user manager的电子邮件。为什么希望处理程序具有Authorize async?您正在将AuthorizationService注入控制器中-看到了吗?是的,我试图将处理程序而不是IAAuthorizationService注入控制器中。对不起。我想我已经读了好几遍刚才从我身边经过的文件了。
public class AccountController : Controller
{
IAuthorizationService _authorizationService;
public AccountController(IAuthorizationService authorizationService)
{
_authorizationService = authorizationService;
}
}
public async Task<IActionResult> View(int accountId)
{
Account account = accountManager.Find(accountId);
if (account == null)
{
return new HttpNotFoundResult();
}
if (await _authorizationService.AuthorizeAsync(User, account, Operations.Read))
{
return View(account);
}
else
{
return new ChallengeResult();
}
}
services.AddAuthorization(options =>
{
// inline policies
options.AddPolicy("AccessByAccountNumber", policy =>
{
policy.RequireDelegate((context, requirement) =>
{
var httpContext = (context as dynamic).HttpContext;
// Proceed to grab the account number from the request values
// and compare it against the user object stored in 'context.User'
});
});
});