Simplemembership筛选器用户对不应用角色的页面的访问权限(ASP.NET MVC 4)
[英]Simplemembership Filter User Access to pages where roles don't apply (ASP.NET MVC 4)
问题描述
I'm new to Authorization and Autentication, but I recently started using Simplemembership on my college project. 
我是授权和认证的新手,但是我最近开始在我的大学项目中使用简单会员资格。 I managed to get it running. 我设法使其运行。 My problem is, I'm not exactly sure how to approach a certain issue. 我的问题是,我不确定如何解决某个问题。
There's a Projects Area and inside Controllers that lead to a few different pages. 有一个项目区域,在Controllers内部,这导致了一些不同的页面。 All users can access the Projects Area and the pages within it, but they should only be able to access and alter the pages/contents related to the "projects" they're part of. 所有用户都可以访问“项目区域”及其中的页面,但是他们只能访问和更改与其所属的“项目”相关的页面/内容。 It's not a role issue. 这不是角色问题。
I wish to know a simple way to create a filter the restrict the acess according to their dependencies, so the user won't just type the an "id" in the url and see stuff that belongs to another group. 我希望知道一种简单的方法来创建过滤器,以根据其依赖关系来限制访问权限,因此用户将不会仅在url中键入“ id”并查看属于另一组的内容。 Preferably without having to customize the provider since it's not the focus of my applicaion. 最好不必自定义提供程序,因为这不是我的应用重点。
I'm using MVC 4 with C#, and EF 5. 我正在将MVC 4与C#和EF 5一起使用。
2 个解决方案
解决方案1
0 2013-10-25 14:17:40
You have two options: 您有两种选择:
Firstly, you could forget writing a custom authorization attribute and just do the checks inside your action method. 首先,您可能会忘记编写自定义授权属性,而仅在操作方法内进行检查。 However, writing a custom authorize attribute is not that hard and should work for your scenario. 但是,编写自定义授权属性并不难,并且应该适合您的方案。 I wrote one that was based on specific permissions rather than roles, for example. 例如,我写的是基于特定权限而不是角色的。
Something like this should work for you: 这样的事情应该为您工作:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorize : AuthorizeAttribute
{
private int project_id;
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (base.AuthorizeCore(httpContext)) {
if (YourCurrentUserObject.IsPartofProject(project_id)) {
return true;
}
}
return false;
}
protected override void OnAuthorization(AuthorizationContext filterContext)
{
//get the "project id" parameter from your action method
project_id = Convert.ToInt32(filterContext.RouteData.Values.SingleOrDefault(x => x.Key == "project_id").Value);
base.OnAuthorization(filterContext);
}
}
解决方案2
0 2013-10-28 13:20:20
One solution is to have a table that maps the relationship between users and projects. 一种解决方案是拥有一个映射用户和项目之间关系的表。 You most likely already have such a table. 您很可能已经有了这样一个表。 I am not familiar with your application domain, but I assume that we are talking about a many-to-many relationship, where a user can have many projects and projects can have many users. 我不熟悉您的应用程序域,但是我假设我们正在谈论一种多对多关系,在这种关系中,一个用户可以有多个项目,而一个项目可以有许多用户。 If you use the same ID for the user that is used by SimpleMembership this will be very straight forward. 如果您为SimpleMembership使用的用户使用相同的ID,这将非常简单。 In the action for the controller that returns the project information based on a project ID passed in the URL, first check that the user is authenticated by calling WebSecurity.IsAuthenticated . 在针对基于URL中传递的项目ID返回项目信息的控制器的操作中,首先通过调用WebSecurity.IsAuthenticated检查用户是否已通过身份验证。 If they are not authenticated redirect to the log in page. 如果未通过身份验证,请重定向到登录页面。 Then in your query to return the project information join to the table that maps users to projects and make sure that the current user is part of the project being requested. 然后在查询中返回项目信息,然后加入到将用户映射到项目的表中,并确保当前用户是所请求项目的一部分。 You can get the current user ID by calling WebSecurity.CurrentUserId . 您可以通过调用WebSecurity.CurrentUserId获得当前用户ID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.