尝试以未授权用户身份提交表单时出现问题
[英]Problem when trying to submit form as a not authorized user
问题描述
Sorry for the title but I didn't know how to explain it in just one sentence. 
对不起,标题,但我不知道如何用一句话来解释。 I have a view with form: 我对表格有看法:
@using (Html.BeginForm("AddComment", "Restaurants"))
{
@Html.TextBoxFor(c => c.NewComment.Body)
@Html.HiddenFor(m => m.Restaurant.Id)
<button type="submit">Add comment</button>
}
And AddComment Action in Restaurants controller: 在Restaurantss控制器中执行AddComment Action:
public ActionResult AddComment(RestaurantViewModel model, Comment newComment)
{
var userId = User.Identity.GetUserId();
var user = _context.Users.FirstOrDefault(u => u.Id == userId);
newComment.RestaurantId = model.Restaurant.Id;
newComment.AuthorId = Guid.Parse(userId);
newComment.AuthorName = user.UserName;
newComment.DateTime = DateTime.Now;
_context.Comments.Add(newComment);
_context.SaveChanges();
return RedirectToAction("Details", "Restaurants", new { id = model.Restaurant.Id});
}
And I added authorize filter: 我添加了授权过滤器:
filters.Add(new AuthorizeAttribute());
When I try to submit a form as a not logged user, it redirects me to the log in page. 当我尝试以未登录用户的身份提交表单时,它会将我重定向到登录页面。 If I log in on that page, it calls AddComment Action but it pass arguments Model.Restaurant and NewComment.Body as nulls. 如果我在该页面上登录,它将调用AddComment Action,但会将参数Model.Restaurant和NewComment.Body为null。 How to fix it, so when I log in, it redirects me to the previous page with filled TextBox or just call AddComment but pass proper values of arguments. 如何修复它,因此在我登录时,它会将我重定向到填充了TextBox的前一页,或者仅调用AddComment但传递正确的参数值。
3 个解决方案
解决方案1
1 2019-03-08 21:37:32
There is no built-in way to do this. 没有内置的方法可以做到这一点。 The reason is, that this is not "the way of doing things". 原因是,这不是“做事的方式”。 If you have a form with a secured POST action, make the corresponding GET page authenticated-only as well. 如果您的表单具有受保护的POST操作,则还应使相应的GET页面仅经过身份验证。
解决方案2
0 2019-03-08 21:50:50
Try removing this line: 尝试删除此行:
filters.Add(new AuthorizeAttribute());
And adding the notation [Authorize] to your method, like: 并将符号[Authorize]添加到您的方法中,例如:
[Authorize]
public ActionResult AddComment(RestaurantViewModel model, Comment newComment)
{
var userId = User.Identity.GetUserId();
var user = _context.Users.FirstOrDefault(u => u.Id == userId);
newComment.RestaurantId = model.Restaurant.Id;
newComment.AuthorId = Guid.Parse(userId);
newComment.AuthorName = user.UserName;
newComment.DateTime = DateTime.Now;
_context.Comments.Add(newComment);
_context.SaveChanges();
return RedirectToAction("Details", "Restaurants", new { id = model.Restaurant.Id});
}
解决方案3
0 2019-03-11 13:43:12
I don't suggest doing this outside of the simplest of cases. 我不建议在最简单的情况下进行此操作。 You can change your form to use get instead of post : 您可以将表单更改为使用get而不是post :
@using (Html.BeginForm("AddComment", "Restaurants", FormMethod.Get))
{
@Html.TextBoxFor(c => c.NewComment.Body)
@Html.HiddenFor(m => m.Restaurant.Id)
<button type="submit">Add comment</button>
}
Caveats: 注意事项:
- This only will work if you use the built in auth, or your implementation forwards querystring values. 仅当您使用内置身份验证或您的实现转发查询字符串值时,此方法才有效。
- Second, the values will be in the URL, so they can be tampered with easily. 其次,这些值将出现在URL中,因此可以轻松对其进行篡改。
- Last, but not least, if
AddCommenthas theHttpPostattribute, you will have to remove that.最后但并非最不重要的一点,如果AddComment具有HttpPost属性,则必须将其删除。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.