DNN API基于角色的授权
[英]DNN API Role based authorization
问题描述
I want to apply authorization on API call with respect to DNN roles. 
我想对DNN角色的API调用应用授权。 so that DNN itself will perform checks whether logged user has access to particular API call. 这样DNN本身就会检查记录的用户是否有权访问特定的API调用。 I got one solution but not exactly what I want. 我有一个解决方案,但不完全是我想要的。 = > How to handle security/authentication on a DNN-based web API . => 如何在基于DNN的Web API上处理安全性/身份验证 。 This link suggest to have separate module for API authorization so that we can assign roles to this module and by using [SupportedModules("ModuleName")] attribute on API call we can restrict authorization. 此链接建议具有单独的API授权模块,以便我们可以为此模块分配角色,并通过在API调用上使用[SupportedModules(“ModuleName”)]属性来限制授权。 I checked this example but no luck...PLZ suggest me proper way to do it. 我检查了这个例子,但没有运气...... PLZ建议我采取正确的方法。
2 个解决方案
解决方案1
3 2013-04-30 14:31:28
As long as you work with the DnnApiController as part of 7.x you can simply add this attribute to any method to require authorization based on role. 只要您将DnnApiController作为7.x的一部分使用,您只需将此属性添加到任何需要基于角色授权的方法。
[DnnAuthorize(StaticRoles = "MyRoleNameHere")]
Where "MyRoleNameHere" is the name of the role that the user must have. 其中“MyRoleNameHere”是用户必须具有的角色的名称。
解决方案2
2 2013-05-09 21:21:39
Have you checked this post? 你查过这篇文章了吗? http://www.dotnetnuke.com/Resources/Blogs/EntryId/3329/Authorization-in-the-new-DNN-Services-Framework.aspx http://www.dotnetnuke.com/Resources/Blogs/EntryId/3329/Authorization-in-the-new-DNN-Services-Framework.aspx
I have found this useful (as well as the other answer you referred to)... but it's taken me a long time to understand it! 我发现这很有用(以及你提到的其他答案)......但是我花了很长时间才明白它! Here's what I've figured out so far: If you're using a web browser, DNN can accept your request and evaluate the permissions (based on your login). 以下是我到目前为止所得到的:如果您使用的是网络浏览器,DNN可以接受您的请求并评估权限(根据您的登录信息)。 The linked blog entry demonstrates this with an API that lists tabs -- it only shows the tabs your login has permission to see. 链接的博客条目使用列出选项卡的API演示此内容 - 它仅显示您的登录有权查看的选项卡。 If you write an HTTP request from somewhere else (such as in a PHP script), you can see the same behavior if you send username/password with the request. 如果您从其他地方(例如在PHP脚本中)编写HTTP请求,如果您使用请求发送用户名/密码,则可以看到相同的行为。
You can use the DnnAuthorize attribute, but using role names directly can be problematic for the reasons you mentioned -- what if they change? 您可以使用DnnAuthorize属性,但由于您提到的原因,直接使用角色名称可能会出现问题 - 如果它们发生变化会怎样? However, you can write your own attribute. 但是,您可以编写自己的属性。 Basically, it will require (in some way, shape, or form) a TabID and ModuleID. 基本上,它将需要(以某种方式,形状或形式)TabID和ModuleID。 That way, instead of checking a role name, you can have DNN check what permissions the current user has for that module. 这样,您可以让DNN检查当前用户对该模块的权限,而不是检查角色名称。
You can write a module for it, assign role-based permissions to your module, and have DNN just check that tab/module for the given login. 您可以为其编写模块,为模块分配基于角色的权限,并让DNN只检查给定登录的选项卡/模块。 Writing your own attribute will make it easy to assign the permissions in your controller... without specifying the roles directly. 编写自己的属性可以轻松地在控制器中分配权限...而无需直接指定角色。
I believe the link refers to DNN 6.2, so there may be some differences with 7. 我认为该链接指的是DNN 6.2,因此可能与7有一些差异。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.