自定义授权属性不会覆盖/组合特定操作
[英]Custom authorise attribute not overriding/combining on specific actions
问题描述
I have created a custom authorise attribute to allow for some custom checks to determine access throughout my application. 
我创建了一个自定义授权属性,以允许进行一些自定义检查来确定对整个应用程序的访问。
When applying the custom auth attribute at a controller level and then trying to add additional access to a specific action, the roles are not applying in an 'additive' way. 当在控制器级别应用自定义auth属性,然后尝试添加对特定操作的其他访问权限时,角色将不会以“添加”方式应用。
Custom authorise attribute: 自定义授权属性:
// Allow multiple = true so should roll all occurrences in a request into one
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class CustomAuthoriseAttribute : AuthorizeAttribute
{
public CustomAuthoriseAttribute(params string[] roles)
{
this.Roles = string.Join(",", roles);
}
/// <summary>
/// Custom routines to determine if a request is considered authorised.
/// </summary>
/// <param name="httpContext"></param>
/// <returns></returns>
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
var userManager = httpContext.GetOwinContext().GetUserManager<UserManager>();
var user = userManager.FindById(httpContext.User.Identity.GetUserId());
if (user == null)
{
return false;
}
// Log the user out as they should not be allowed access
if (user.IsDisabled || user.IsDeleted)
{
httpContext.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
httpContext.Session.Clear();
return false;
}
return base.AuthorizeCore(httpContext);
}
}
Usage in controller: 控制器中的用法:
Seems to be hitting the the auth checks for SuperAdmin and Admin, and then hitting a check for Consultant on its own which is causing unauthorised request. 似乎要对SuperAdmin和Admin进行auth检查,然后再对Consultant进行检查,这会导致未经授权的请求。 Why are they not being treated altogether? 为什么不完全对他们进行治疗?
[CustomAuthorise(SuperAdministrator, Administrator)]
public class SomeController : Controller
{
public const string SuperAdministrator = "SuperAdministrator";
public const string Administrator = "Administrator";
public const string Consultant = "Consultant";
// Should only accessible by SuperAdministrators and Administrators
[HttpGet]
public ActionResult Index()
{
return View();
}
// Should be accessible by SuperAdministrators, Administrators and Consultants
[HttpGet]
[CustomAuthorise(Consultant)]
public ActionResult SomeAction()
{
return View();
}
}
1 个解决方案
解决方案1
0 2017-09-23 00:16:15
Multiple authorize attributes are handled using a logical AND. 多个授权属性使用逻辑与进行处理。 The result of each attribute is AND'd with the previous. 每个属性的结果与前一个属性进行“与”运算。 In this scenario, SomeAction would only be accessible by someone who is a super admin or admin (based on the controller level attribute) AND they are a consultant (based on the action level attribute). 在这种情况下,只有超级管理员或管理员(基于控制器级别属性)并且他们是顾问(基于操作级别属性)的人员才能访问SomeAction。
There are a few different ways to do this but I would advise against granting access to the consultants at the controller level as you'd be blending privileged accounts (super admin and admin) with restricted accounts (consultant). 有几种不同的方法来执行此操作,但是我建议不要在控制器级别授予顾问访问权限,因为您将特权帐户(超级管理员和管理员)与受限帐户(顾问)混合在一起。
I would create a new controller that is accessible by all three roles and move this action there. 我将创建一个可被所有三个角色访问的新控制器,并将此动作移到那里。 Then you can leave your privileged methods in the original controller. 然后,您可以将特权方法留在原始控制器中。
[CustomAuthorise(SuperAdministrator, Administrator)]
public class PrivilegedController : Controller
{
// Should only accessible by SuperAdministrators and Administrators
[HttpGet]
public ActionResult Index()
{
return View();
}
}
[CustomAuthorise(SuperAdministrator, Administrator, Consultant)]
public class LessPrivilegedController : Controller
{
[HttpGet]
public ActionResult SomeAction()
{
return View();
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.