堆栈内存溢出
  简体   繁体   English

如何确保所有WebAPI / OData请求都与特定用户有关?

[英]How to ensure that all WebAPI/OData requests pertain to a specific user?

 原文  2013-11-29 18:00:09       rest/ asp.net-mvc-4/ odata/ asp.net-web-api

问题描述

I found this process simpler when consuming a WCF service (SOAP), but here goes... 使用WCF服务(SOAP)时,我发现此过程更加简单,但是这里...

Where Users 1..* Categories: 用户1 .. *类别:

In exposing an OData RESTful service (MVC4, WebAPI, OData), client-side code could be issued like: 在公开OData RESTful服务(MVC4,WebAPI,OData)时,可以发出客户端代码,如下所示: 

/odata/Categories?$filter=startswith(CategoryName,'paid')

Or even 甚至 

/odata/Categories

Would return all categories for all users. 将为所有用户返回所有类别。 Not very secure. 不是很安全。

I want to ensure that all requests issued when a user is logged in (I'm using forms authentication with my own custom role provider) only return data related to that user (where userID=x). 我想确保在用户登录时发出的所有请求(我正在通过自己的自定义角色提供程序使用表单身份验证)仅返回与该用户相关的数据(其中userID = x)。 Is there a custom filter that needs to be created, whereby even if a logged in user saw the outgoing WebAPI/OData request paths (often defined in JavaScript), they can't try to get other user's information? 是否需要创建一个自定义过滤器,即使登录用户看到了传出的WebAPI / OData请求路径(通常在JavaScript中定义),他们也无法尝试获取其他用户的信息?

Each navigation property or related table in the db has a UserID field where the "AND UserID=x" could be used. 数据库中的每个导航属性或相关表都有一个UserID字段,可在其中使用“ AND UserID = x”。

Would this involve creating some sort of FilterQueryValidator (actually query addition) similar to what's found at the bottom of this page? 这会涉及创建类似于页面底部的FilterQueryValidator (实际上是查询附加项)吗?

I'm just not sure on how this works, and would like some pointers. 我只是不确定这是如何工作的,并且需要一些指导。

FYI: This may be related to this other question, but more specific on user-based requests. FYI:这可能与这个其他的问题,但基于用户的要求更加具体。

1 个解决方案

解决方案1
 1  2013-12-03 10:17:15

You can use a filter attribute or you can override GET / POST etc in your ODataContoller to add the UserID == X to the Linq expression. 您可以使用过滤器属性,也可以在ODataContoller中覆盖GET / POST等,以将UserID == X添加到Linq表达式中。

eg 例如 

public override IQueryable<Product> Get()
{
   return _context.Products.Where(x => x.UserID == user_id);
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 WebApi和OData - WebApi and OData 如何确保http请求来自特定用户? - How can I ensure an http request comes from specific user? 如何在 ASP.NET WebApi 中按顺序而不是并行执行所有请求? - How execute all requests sequentially instead of parallel in ASP.NET WebApi? 如何编写OData调用以获取具有等于空数组的特定属性的所有实体 - How to write an OData call to get all entities with a specific property equal to an empty array odata和webapi一起在同一个控制器中 - odata and webapi together in the same controller 如何在 WebApi Core 中设计多个补丁请求 - How to design Multiple Patch requests in WebApi Core 如何保证的REST API以有序的方式执行传入的请求 - How to ensure REST APIs to execute the incoming requests in a sequenced manner 如何形成ASP.NET OData WebApi的PATCH主体? - How do I form the body of a PATCH for a ASP.NET OData WebApi? WebApi 2 + OData v4完整示例 - WebApi 2 + OData v4 complete example 如何获取我的用户使用github API打开的所有打开请求请求? - How to I get all open pull requests opened by my user with github api?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM