我有以下具有自定义授权属性的控制器:
[CustomAuthorize(Roles = "Editor, Admin")]
public ActionResult Test()
{
//...
}
这是我的自定义授权代码:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
private readonly string[] _allowedRoles;
public CustomAuthorizeAttribute(params string[] roles)
{
_allowedRoles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
if (_allowedRoles.Length > 0 && !_allowedRoles.Any(user.IsInRole))
{
return false;
}
return true;
}
}
自定义授权为甚至不是编辑者或管理员的用户返回 true ?
我认为问题是这样的:
[CustomAuthorize(Roles = "Editor, Admin")]
我将其作为字符串传递,并且需要在CustomAuthorize方法中将其转换为数组?
答案 0 :(得分:0)
首先,您需要获取当前用户的角色,然后检查是否有任何角色允许用户访问控制器:
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
var userRoles = ((ClaimsIdentity)User.Identity).Claims
.Where(c => c.Type == ClaimTypes.Role)
.Select(c => c.Value);
if (_allowedRoles.Length > 0 && !_allowedRoles.Any(x => userRoles.Any(y => x.Equals(y)))))
{
return false;
}
return true;
}
答案 1 :(得分:0)
该属性的当前定义未引用Roles
属性,也未填充_allowedRoles
字段。
这就是为什么您的属性总是返回true
的原因。
查看自定义属性的分解逻辑
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute {
private readonly string[] _allowedRoles;
public CustomAuthorizeAttribute(params string[] roles) {
_allowedRoles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext) {
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (user?.Identity?.IsAuthenticated) {
if (isInRole(user, _allowedRoles)) {
return true;
}
if (!string.IsNullOrWhiteSpace(Roles)) {
var roles = Roles.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
if (isInRole(user, roles))
return true;
}
return true;
}
return false;
}
bool isInRole(IPrincipal user, string[] roles) {
return roles.Length > 0 && roles.Any(user.IsInRole);
}
}
可以像
那样使用[CustomAuthorize(Roles = "Editor, Admin")]
public ActionResult Test() {
//...
}
角色将被拆分并根据用户进行检查
或喜欢
[CustomAuthorize("Editor", "Admin")]
public ActionResult Test() {
//...
}
这将使用参数数组填充属性的构造函数