我有以下AuthorizeAttribute的扩展名(从http://johnskdev.com/prevent-concurrent-logins-from-a-single-user-account-in-net/进行了少量修改):
public class AuthorizeSingleLogin : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool isAuthorized = base.AuthorizeCore(httpContext);
string user = httpContext.User.Identity.Name;
string access = httpContext.Session.SessionID;
if (String.IsNullOrEmpty(user) || String.IsNullOrEmpty(access))
{
return isAuthorized;
}
SQLLoginrecord sqlLogin = new SQLLoginrecord();
return sqlLogin.IsLoggedIn(user, access);
}
}
在我的控制器中,我有:
[AuthorizeSingleLogin(Roles = "Users11")]
public ActionResult User11Action()
{
return View();
}
问题是,即使对于不在该角色的用户,这仍然允许我访问User11 View页面。当我将属性更改为仅授权时,如下所示:
[Authorize(Roles = "Users11")]
public ActionResult User11Action()
{
return View();
}
我从我的应用中获得了我期望的访问被拒绝页面。我该如何解决这个问题,以便扩展的AuthorizeSingleLogin尊重其父级支持的参数?
谢谢。