.NET MVC中的数据访问授权
[英]Authorization on data access in .net MVC
问题描述
I have an application with two entities: 
我有两个实体的应用程序:
public class Employer {
public string Title {get;set;}
public virtual ICollection<Application> Applications {get;set;}
}
public class Application {
public string Title {get;set;}
}
I want to give users access to specific employers (an employers can have multiple users), so they can submit applications for their employers. 我想让用户访问特定的雇主(一个雇主可以有多个用户),以便他们可以为其雇主提交申请。 This also includes a view of "your" employers. 这也包括“您的”雇主的观点。 To solve this, I have thought of the following two possibilities: 为了解决这个问题,我考虑了以下两种可能性:
When an employer is created, a corresponding role is also created.
创建雇主后,还将创建相应的角色。 Users can then be added to this role, and I will write some custom logic to check if the user is in the corresponding role. 然后可以将用户添加到该角色中,我将编写一些自定义逻辑来检查用户是否处于相应角色中。 The hard part here is that it seems difficult to connect the role with the employer in any safe manner (without writing my own role provider) 这里的难点在于,似乎很难以任何安全的方式将角色与雇主联系起来(无需编写我自己的角色提供者) Add a property such as Collection of Users to the Employer class, and check if the current signed in user is in this collection to decide if the user has access.
将诸如“用户集合”的属性添加到Employer类,然后检查当前登录的用户是否在此集合中,以确定该用户是否具有访问权限。
Are these good solutions, or are there any better ways to solve my problem? 这些是好的解决方案,还是有解决我问题的更好方法?
2 个解决方案
解决方案1
1 已采纳 2014-03-12 21:00:43
This is a problem with the DAO (data access object), today there is no automatically way to do this using entity framework (standard of mvc 5 and asp.net identity). 这是DAO(数据访问对象)的问题,今天没有使用实体框架(标准的mvc 5和asp.net身份)自动执行此操作的方法。
Some suggestions: 一些建议:
1) Its easy create or override and use the "RoleManager" and "UserManager" with your own rules. 1)它很容易创建或覆盖,并根据您自己的规则使用“ RoleManager”和“ UserManager”。
2) You can encapsulate the data access, using something like a proxy or a wrapper to get the data from entity framework 2)您可以封装数据访问,使用代理或包装之类的方法从实体框架获取数据
The only thing you definitely will not be able to overcome (if you want to use) is the "custom mapping", I mean... The collection property of Employer always will load the data based on mapping configuration, and the mapping configuration it is a little bit limited (is not support a custom clauses, like a where in the relation). 您绝对无法克服的唯一问题(如果要使用)是“自定义映射”,我的意思是……Employer的collection属性始终将根据映射配置加载数据,并且映射配置会有一点限制(不支持自定义子句,如关系中的where)。
解决方案2
0 2014-03-13 02:57:36
I wouldn't use roles for this. 我不会为此使用角色。 Roles are typically used to control access to functionality, not typically subsets of data (although there are exceptions). 角色通常用于控制对功能的访问,通常不用于控制数据的子集(尽管有例外)。
Now, you may run into issues where you have employees that employed by more than one company and they have different permissions for each company. 现在,您可能会遇到这样的问题,即您有多个公司雇用的员工,而每个公司对他们都有不同的权限。 In that case, the default role provider is inadequate for that job. 在这种情况下,默认角色提供程序不足以完成该工作。
If, however, users all have the same functionality, but they just have access to different subsets of data, then the solution is to filter your data based on company. 但是,如果所有用户都具有相同的功能,但是他们只能访问不同的数据子集,那么解决方案是根据公司过滤数据。 For instance, The company entity would have an Employees collection. 例如,公司实体将有一个雇员集合。 Any other data would be tied to the company. 任何其他数据都将与公司绑定。 Then, when you display or edit data, you make sure to query with conditions that the data belongs to the company of the current user. 然后,当您显示或编辑数据时,请确保使用条件查询该数据属于当前用户的公司。 In general, it's best to do this in the sql (or ef) query itself rather than in code in your app. 通常,最好在sql(或ef)查询本身中执行此操作,而不是在应用程序中的代码中执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.