[英]ASP.NET MVC, 'Ticket Required' Attribute
I am attempting to build a system that allows users to perform certain actions, but their account must have a specific 'Ticket' per time they do it. 我正在尝试构建一个允许用户执行某些操作的系统,但是他们的帐户每次执行时都必须具有特定的“Ticket”。 For instance, suppose they wish to create a
Product
, they would need a CreateProductTicket
. 例如,假设他们希望创建一个
Product
,他们需要一个CreateProductTicket
。
I could simply do this with some 'if' statements, sure, but I want to try a bit more of a robust solution. 我可以用一些'if'语句简单地做到这一点,当然,但我想尝试一些更强大的解决方案。 My structure looks something like this...
我的结构看起来像这样......
interface ITicket<T> where T : ITicketable
{
}
My basic goal is to build an Attribute, perhaps like the following.. 我的基本目标是构建一个属性,可能如下所示。
public class TicketRequiredAttribute : Attribute
{
public TicketRequiredAttribute(ITicket<T> ticket)
{
if(ticket == null)
return;
}
}
And to be able to decorate Controller or Repository Actions with this. 并且能够用此装饰Controller 或 Repository Actions。 So like ...
所以......
[TicketRequired(CreateProductTicket)]
public ActionResult CreateProduct(Product product)
{
// ... **I am unsure how to tell if TicketRequired was true or not**
}
I'm not familiar enough with attributes to know how to tell if TicketRequired was 'met' or not. 我不熟悉属性知道如何判断TicketRequired是否“遇到”。 Can anyone enlighten me on this?
任何人都可以启发我吗?
The problem I am running into is with database querying. 我遇到的问题是数据库查询。 I want to be able to check the user (
IMembershipRepository
has a GetUser
method), but I'm not entirely certain how to do that through an attribute. 我希望能够检查用户(
IMembershipRepository
有一个GetUser
方法),但我不完全确定如何通过属性来做到这一点。
Using Castle.Windsor
, I have my Dependency Injection set up to inject repositories into controllers. 使用
Castle.Windsor
,我将依赖注入设置为将存储库注入控制器。 I suppose I could pass the IMembershipRepository
through the TicketRequired
constructor, but I have a feeling that will become very messy - and extremely unstable. 我想我可以通过
TicketRequired
构造函数传递IMembershipRepository
,但我感觉会变得非常混乱 - 而且非常不稳定。 Is there a more logical way to approach this? 有没有更合乎逻辑的方法来解决这个问题?
You're almost there. 你快到了。 You can find more details at http://www.asp.net/mvc/tutorials/understanding-action-filters-cs
您可以在http://www.asp.net/mvc/tutorials/understanding-action-filters-cs找到更多详细信息。
I would only use the attribute on the action since the website is where I do all my authorization. 我只会使用该操作的属性,因为该网站是我执行所有授权的地方。
Here is a possible solution. 这是一个可能的解决方案。 I have not tested this, but it should work.
我没有测试过这个,但它应该可以工作。 You'll need to verify the way I'm redirecting, not sure if that's the proper way.
您需要验证我重定向的方式,不确定这是否正确。
public class TicketRequiredActionFilter : ActionFilterAttribute
{
private Type _ticketType;
public TicketRequiredAttribute(Type ticketType)
{
_ticketRequired = ticketType;
}
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
UserServices userServices = GetUserServicesViaDIContainer(); // you'll need to figure out how to implement this
string userId = filterContext.HttpContext.User.Identity.Name
bool hasTicket = userServices.HasTicket(_ticketType, (int)userId); // again, you'll need to figure out the exact implementation
if(!hasTicket)
{
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "controller", "Home" }, {"action", "NoPermission" } })
}
else
{
base.OnActionExecuting(filterContext);
}
}
}
In your controller: 在你的控制器中:
[TicketRequiredActionFilter(typeof(CreateProductTicket))]
public ActionResult MyMethod()
{
// do stuff as if the person is authorized and has the ticket
}
If the user doesn't have the ticket, a redirect is issues;, otherwise, continue as normal. 如果用户没有票证,则重定向是问题;否则,正常继续。
This sounds very much like user roles. 这听起来非常像用户角色。
How are you handling the user membership? 你是如何处理用户会员资格的? If your using the built-in asp.net membership you can use roles.
如果您使用内置的asp.net成员资格,则可以使用角色。 So each user will have a certain number of roles in your case one of the will be "CreateProductTicket" then you can decorate your action or controller with the Authorize attribute.
因此,每个用户在您的情况下将具有一定数量的角色,其中一个将是“CreateProductTicket”,然后您可以使用Authorize属性来装饰您的操作或控制器。 Something like:
就像是:
[Authorize(Roles="CreateProductTicket")]
public ActionResult CreateProduct(Product product)
If a user doesn't have the role or is not authorized then they can access the action. 如果用户没有该角色或未经授权,则他们可以访问该操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.