Model view controller 控制器级别的角色访问
MVC是否允许一个角色访问整个控制器,除了另一个角色访问一个或几个方法之外 除方法3外,所有方法均属于员工,客户和员工均可访问。如下所示:Model view controller 控制器级别的角色访问,model-view-controller,controller,authorization,Model View Controller,Controller,Authorization,MVC是否允许一个角色访问整个控制器,除了另一个角色访问一个或几个方法之外 除方法3外,所有方法均属于员工,客户和员工均可访问。如下所示: [Authorize(Roles = "staff")] public class StaffController : Controller { public StaffController() { } public ActionResult Method1()
[Authorize(Roles = "staff")]
public class StaffController : Controller
{
public StaffController()
{
}
public ActionResult Method1()
{
}
public ActionResult Method2()
{
}
[Authorize(Roles = "staff, customer")]
public ActionResult Method3()
{
}
}
[Authorize(Roles = "staff")]
public class StaffController : Controller
{
public StaffController()
{
}
public ActionResult Method1()
{
}
public ActionResult Method2()
{
}
[Authorize(Roles = "customer")]
public ActionResult Method3()
{
}
}
或者另一种情况,即除Method3之外,所有人都属于员工,而Method3只能由客户访问,如下所示:
[Authorize(Roles = "staff")]
public class StaffController : Controller
{
public StaffController()
{
}
public ActionResult Method1()
{
}
public ActionResult Method2()
{
}
[Authorize(Roles = "staff, customer")]
public ActionResult Method3()
{
}
}
[Authorize(Roles = "staff")]
public class StaffController : Controller
{
public StaffController()
{
}
public ActionResult Method1()
{
}
public ActionResult Method2()
{
}
[Authorize(Roles = "customer")]
public ActionResult Method3()
{
}
}
但是,上述方法不起作用。在这两种情况下,客户端仍然无法访问Method3
非常感谢您的帮助 我怀疑它首先检查控制器授权,因此从未有机会检查其授权的具体操作 一种解决方案是在类级别授权这两个角色,并将对特定方法的访问限制为只允许
员工
e、 g
另一个选项是使用类似于此答案上的自定义属性的内容来限制
(即授权
)
但正如他们提到的,这违背了MVC安全性的“默认拒绝”原则