[英]Conditional/limited access in a controller/view? (MVC2)
I have two roles being used on my site currently, author & admin. 我目前在我的网站上使用两个角色,作者和管理员。 Authors cannot access user administration functions.
作者无法访问用户管理功能。 However, they should be able to edit certain parts of their profile.
但是,他们应该能够编辑其个人资料的某些部分。 An admin is currently able to edit all parts of a user's profile.
管理员当前可以编辑用户个人资料的所有部分。 For example:
例如:
employee ID [admin]
display name [author,admin]
roles [admin]
I would like to re-use code where possible. 我想在可能的地方重用代码。 I'm not sure what the best solution would be here.
我不确定最好的解决方案是什么。 There are 2 things to deal with
有两件事要处理
I think #1 is best achieved by a custom Authorize attribute (I already have one I can extend further). 我认为最好通过自定义Authorize属性(我已经有一个可以进一步扩展的属性)实现了#1。 If you have a better approach please share.
如果您有更好的方法,请分享。 And #2 I am unsure, view model?
#2我不确定,查看模型吗? I have my allowed fields bound for a user using a partial class which would be different for each role.
我使用部分类为用户绑定了允许的字段,该类对于每个角色都是不同的。
Your solution for #1 is spot on, you need to use the AuthorizeAttribute
. 针对#1的解决方案已经确定,您需要使用
AuthorizeAttribute
。
For #2 you can just do security trimming where you only render for the particular user. 对于#2,您可以只在特定用户渲染的地方进行安全修剪。
Some pseudo code in your view (or move it to a partial view): 视图中的一些伪代码(或将其移至部分视图):
if administrator
render employee ID text box
if administrator || author
render display name text box
if administrator
render roles check list
So you're going to need to control how to determine if the user is in a "role". 因此,您将需要控制如何确定用户是否处于“角色”。 You can use ASP.NET's Membership Provider or roll something of your own.
您可以使用ASP.NET的Membership Provider或自己创建一些。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.