MVC 3 dynamic authorization of multiple roles and users

后端未结

关注

 3  1915

I recently starded developing for MVC 3 but have experience in both C# and ASP.NET since earlier. So i\'ll start with what i\'m trying to accomplish. I\'ve developed a small

相关标签:

3条回答

栀梦

2020-12-13 01:32

You can create your own custom attribute that inherits from AuthorizeAttribute and override the OnAuthorize method to do what you need.

This should get you started:

public class ArticleAuthorizeAttribute : AuthorizeAttribute
{
    public enum ArticleAction
    { 
        Read,
        Create,
        Update,
        Delete
    }

    public ArticleAction Action { get; set; }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);

        //do custom authorizization using Action and getting ArticleID 
        //from filterContext.HttpContext.Request.QueryString or
        //filterContext.HttpContext.Request.Form
    }
}

The usage would look like this:

[ArticleAuthorize(Action=ArticleAuthorizeAttribute.ArticleAction.Update)]

Edit: After looking into this a bit more, it looks like you can't pass this.articleID in to the attribute. However, you do have access to the parameters from filterContext.HttpContext.Request through the QueryString property or the Form property, depending on how you are passing the values. I have updated the code sample appropriately.

A more complete example can be found here

To check for authorization using user role and user list you would do something like this:

        var allowedUsers = new List<string>();
        //populate allowedUsers from DB

        If (User.IsInRole("Update") || allowedUsers.Contains(User.Identity.Name))
        {
            //authorized
        }

Alternatively, you can do both checks against the DB directly in a single method to keep from making two calls.

0 讨论(0)

滥情空心

2020-12-13 01:34

Here's a much easier way to accomplish the same thing:

[Authorize]
public ActionResult UpdateArticle(ArticleModel model, int articleid)
{
    // if current user is an article editor
    return View();
    // else
    return View("Error");
}

0 讨论(0)

天涯浪人

2020-12-13 01:40

I got it working as I wanted when I overrode the AuthorizeCore method and authorizes the way I want to.

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null)
        {
            throw new ArgumentNullException("httpContext");
        }

        IPrincipal user = httpContext.User;
        if (!user.Identity.IsAuthenticated)
        {
            return false;
        }

        if ((_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) && (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole)))
        {
            return false;
        }

        return true;
    }

0 讨论(0)