ASP.Net Identity检查多个角色以获取访问权限

时间:2014-03-28 09:26:43

标签: c# .net asp.net-mvc asp.net-mvc-5 asp.net-identity

在授予访问权限之前,是否有可能让asp.net身份需要2个角色的成员身份?

我的系统中有2层权限。首先是授予某些功能访问权限的公司类型,其次是限制特定方法和使用权限的公司类型。

CompanyType= Host,Expert,Manufacturer,Supplier,Consultant
Accesslevel= Admin,ReadOnly,ReadWrite

我希望能够做到这样的事情:

[Authorize(Roles = "Expert && ReadWrite || ReadOnly")]

目标是有一种处理方式而不是具有这些角色:

HostAdmin, HostReadOnly, HostReadWrite, ExpertAdmin ....

感谢您的时间。

2 个答案:

答案 0 :(得分:6)

是的,您可以要求多个角色,只需添加更多授权属性:

[Authorize(Roles="members")]
[Authorize(Roles="admin")]

这将要求用户同时拥有成员和管理员角色

更多详情 - > Allow multiple roles to access controller action

答案 1 :(得分:5)

我创建了一个自定义过滤器属性来满足您的需求。我做了一点简化:我将&&更改为&,将||更改为|。解析器还支持xor ^,而不是!和括号

[CustomAuthorize(Roles = "Expert & (ReadWrite | ReadOnly)")]

这是自定义授权属性

/// <summary>
/// [CustomAuthorize(Roles = "A & (!B | C) ^ D")]
/// </summary>
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    /*
     *  Exp -> SubExp '&' SubExp // AND
     *  Exp -> SubExp '|' SubExp // OR
     *  Exp -> SubExp '^' SubExp // XOR
     *  SubExp -> '(' Exp ')'
     *  SubExp -> '!' Exp        // NOT
     *  SubExp -> RoleName
     *  RoleName -> [a-z]
     */

    private const char TokenSeparator = ' ';
    private const char TokenAnd = '&';
    private const char TokenOr = '|';
    private const char TokenXor = '^';
    private const char TokenNot = '!';
    private const char TokenParentheseOpen = '(';
    private const char TokenParentheseClose = ')';

    abstract class Node
    {
        public abstract bool Eval(IPrincipal principal);
    }

    abstract class UnaryNode : Node
    {
        private readonly Node _expression;

        public Node Expression
        {
            get { return _expression; }
        }

        protected UnaryNode(Node expression)
        {
            _expression = expression;
        }
    }

    abstract class BinaryNode : Node
    {
        private readonly Node _leftExpression;
        private readonly Node _rightExpression;

        public Node LeftExpression
        {
            get { return _leftExpression; }
        }

        public Node RightExpression
        {
            get { return _rightExpression; }
        }

        protected BinaryNode(Node leftExpression, Node rightExpression)
        {
            _leftExpression = leftExpression;
            _rightExpression = rightExpression;
        }
    }

    class AndNode : BinaryNode
    {
        public AndNode(Node leftExpression, Node rightExpression)
            : base(leftExpression, rightExpression)
        {
        }

        public override bool Eval(IPrincipal principal)
        {
            return LeftExpression.Eval(principal) && RightExpression.Eval(principal);
        }
    }

    class OrNode : BinaryNode
    {
        public OrNode(Node leftExpression, Node rightExpression)
            : base(leftExpression, rightExpression)
        {
        }

        public override bool Eval(IPrincipal principal)
        {
            return LeftExpression.Eval(principal) || RightExpression.Eval(principal);
        }
    }

    class XorNode : BinaryNode
    {
        public XorNode(Node leftExpression, Node rightExpression)
            : base(leftExpression, rightExpression)
        {
        }

        public override bool Eval(IPrincipal principal)
        {
            return LeftExpression.Eval(principal) ^ RightExpression.Eval(principal);
        }
    }

    class NotNode : UnaryNode
    {
        public NotNode(Node expression)
            : base(expression)
        {
        }

        public override bool Eval(IPrincipal principal)
        {
            return !Expression.Eval(principal);
        }
    }

    class RoleNode : Node
    {
        private readonly string _roleName;

        public string RoleName
        {
            get { return _roleName; }
        }

        public RoleNode(string roleName)
        {
            _roleName = roleName;
        }

        public override bool Eval(IPrincipal principal)
        {
            return principal.IsInRole(RoleName);
        }
    }

    private Node _expression;

    void Parse(string text)
    {
        if (text == null) throw new ArgumentNullException("text");

        var delimiters = new[] { TokenSeparator, TokenAnd, TokenOr, TokenXor, TokenNot, TokenParentheseOpen, TokenParentheseClose };

        List<string> tokens = new List<string>();
        StringBuilder sb = new StringBuilder();

        for (int i = 0; i < text.Length; i++)
        {
            char c = text[i];
            if (c == TokenSeparator)
                continue;

            if (delimiters.Contains(c))
            {
                if (sb.Length > 0)
                {
                    tokens.Add(sb.ToString());
                    sb.Clear();
                }

                tokens.Add(c.ToString(CultureInfo.InvariantCulture));
            }
            else
            {
                sb.Append(c);
            }
        }

        if (sb.Length > 0)
        {
            tokens.Add(sb.ToString());
        }

        _expression = Parse(tokens.ToArray());
    }

    Node Parse(string[] tokens)
    {
        int index = 0;
        return ParseExp(tokens, ref index);
    }

    Node ParseExp(string[] tokens, ref int index)
    {
        Node leftExp = ParseSubExp(tokens, ref index);
        if (index > tokens.Length)
            return leftExp;

        string token = tokens[index];

        if (token == "&")
        {
            index++;
            Node rightExp = ParseSubExp(tokens, ref index);
            return new AndNode(leftExp, rightExp);
        }
        else if (token == "|")
        {
            index++;
            Node rightExp = ParseSubExp(tokens, ref index);
            return new OrNode(leftExp, rightExp);
        }
        else if (token == "^")
        {
            index++;
            Node rightExp = ParseSubExp(tokens, ref index);
            return new XorNode(leftExp, rightExp);
        }
        else
        {
            throw new Exception("Expected '&' or '|' or EOF");
        }
    }

    Node ParseSubExp(string[] tokens, ref  int index)
    {
        string token = tokens[index];

        if (token == "(")
        {
            index++;
            Node node = ParseExp(tokens, ref index);

            if (tokens[index] != ")")
                throw new Exception("Expected ')'");

            index++; // Skip ')'

            return node;
        }
        else if (token == "!")
        {
            index++;
            Node node = ParseExp(tokens, ref index);
            return new NotNode(node);
        }
        else
        {
            index++;
            return new RoleNode(token);
        }
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null) throw new ArgumentNullException("httpContext");

        IPrincipal user = httpContext.User;
        if (!user.Identity.IsAuthenticated)
        {
            return false;
        }

        if (_expression == null)
        {
            Parse(Roles);
        }

        if (_expression != null)
        {
            return _expression.Eval(user);
        }

        return true;
    }
}

否则您可以使用默认的AuthorizeAttribute

// (role1 OR role2) AND (role3 OR role4)
[Authorize(Roles = "Role1, Role2")] 
[Authorize(Roles = "Role3, Role4")]