除了指定的例外,如何拒绝角色/用户对所有控制器/操作的访问asp.net MVC
[英]How to deny a role / user access to all Controllers / Actions apart from specified exceptions asp.net MVC
问题描述
I would like to be able to specify either a role a user that isn't allowed to access and entire site when all other users are. 
我希望能够指定一个角色(该角色不允许其他用户访问)和整个网站(而其他所有用户均可)。
I would then like to be able to do something along the lines of an authorize header on selected actions so that the denied user is still allowed access this selected action and controller if possible. 然后,我希望能够对选定的动作执行authorize标头的内容,以便在可能的情况下仍允许拒绝的用户访问此选定的动作和控制器。
I know I could create a role, add all other users to this role and then do an authorization attribute on this role but this would have to be done on every single action which is a non-starter because the project is already built with hundreds if not thousands of actions. 我知道我可以创建一个角色,将所有其他用户添加到该角色中,然后对该角色执行授权属性,但是这必须对每个非启动者的动作都必须执行,因为该项目已经用数百个构建了。没有数千个动作。
So any suggestions will be appreciated 因此,任何建议将不胜感激
1 个解决方案
解决方案1
1 已采纳 2017-05-16 19:46:50
The easiest solution here would probably be a custom Authorize attribute to add Deny functionality. 这里最简单的解决方案可能是添加“拒绝”功能的自定义Authorize属性。 You could implement this in a number of ways. 您可以通过多种方式来实现。 For instance, you could deny based on a specific role, but that can be difficult to maintain over time if you want to deny people from different parts of the app, you'd have to create different roles and change your code every time you want to do that. 例如,您可以基于特定角色进行拒绝,但是如果您想拒绝应用程序不同部分的人员,那么随着时间的流逝很难维护,那么您就必须创建不同的角色并每次更改代码要做到这一点。
For example: 例如:
public class DenyAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return !base.AuthorizeCore(httpContext);
}
}
This uses the Roles property of the AuthorizeAttribute as a deny. 这将AuthorizeAttribute的Roles属性用作拒绝。
[Deny(Roles="DeniedUsers")]
Be aware though, that you would need some kind of higher level authorization, such as at the Controller or global filter level that blocks overall unauthenticated users, otherwise it would allow anyone not in the Role specified to have access, including unauthenticated users. 但是请注意,您将需要某种更高级别的授权,例如在Controller或全局筛选器级别,以阻止所有未经身份验证的用户,否则,它将允许未指定角色的任何人(包括未经身份验证的用户)都有权访问。 So maybe add something like: 因此,也许添加类似以下内容:
return httpContext.User.IsAuthenticated && !base.AuthorizeCore(httpContext);
Also be aware that using this in conjunction with an [AllowAnonymous] might be problematic. 另请注意,将其与[AllowAnonymous]结合使用可能会出现问题。
Another option would be to create a more flexible system that would calculate the deny based on the current controller/action. 另一个选择是创建一个更灵活的系统,该系统将基于当前的控制器/操作来计算拒绝。 Something like this: 像这样:
public class DenyByControllerActionAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var controller = httpContext.Request.RequestContext.RouteData.GetRequiredString("controller");
var action = httpContext.Request.RequestContext.RouteData.GetRequiredString("action");
var denyRole = string.Format("Deny{0}:{1}", controller, action);
return !httpContext.User.IsInRole(denyRole) && base.AuthorizeCore(httpContext);
}
}
Which you can then control access by adding the user to a role of the format "Deny{Controller}:{Action}", so something like DenyHome:Index or "DenyAdmin:Email". 然后,您可以通过将用户添加为“ Deny {Controller}:{Action}”格式的角色来控制访问,例如DenyHome:Index或“ DenyAdmin:Email”。
This will also require they have Default authorize access as well by calling the base AuthorizeCore functionality. 这也将要求他们也具有默认的授权访问权限,方法是调用基本的AuthorizeCore功能。 So, you can do a wholesale replace of [Authorize] with `[DenyByControllerAction] and it will work the same way (or use it as a global filter), but simply adding the role you can deny any user access to any Controller/Action. 因此,您可以将[Authorize]替换为`[DenyByControllerAction],它的工作方式相同(或将其用作全局过滤器),但只需添加该角色即可拒绝任何用户访问任何Controller / Action 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.