在授予访问权限之前,是否有可能让asp.net身份需要2个角色的成员身份?
我的系统中有2层权限。首先是授予某些功能访问权限的公司类型,其次是限制特定方法和使用权限的公司类型。
CompanyType= Host,Expert,Manufacturer,Supplier,Consultant
Accesslevel= Admin,ReadOnly,ReadWrite
我希望能够做到这样的事情:
[Authorize(Roles = "Expert && ReadWrite || ReadOnly")]
目标是有一种处理方式而不是具有这些角色:
HostAdmin, HostReadOnly, HostReadWrite, ExpertAdmin ....
感谢您的时间。
答案 0 :(得分:6)
是的,您可以要求多个角色,只需添加更多授权属性:
[Authorize(Roles="members")]
[Authorize(Roles="admin")]
这将要求用户同时拥有成员和管理员角色
更多详情 - > Allow multiple roles to access controller action
答案 1 :(得分:5)
我创建了一个自定义过滤器属性来满足您的需求。我做了一点简化:我将&&更改为&,将||更改为|。解析器还支持xor ^,而不是!和括号
[CustomAuthorize(Roles = "Expert & (ReadWrite | ReadOnly)")]
这是自定义授权属性
/// <summary>
/// [CustomAuthorize(Roles = "A & (!B | C) ^ D")]
/// </summary>
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
/*
* Exp -> SubExp '&' SubExp // AND
* Exp -> SubExp '|' SubExp // OR
* Exp -> SubExp '^' SubExp // XOR
* SubExp -> '(' Exp ')'
* SubExp -> '!' Exp // NOT
* SubExp -> RoleName
* RoleName -> [a-z]
*/
private const char TokenSeparator = ' ';
private const char TokenAnd = '&';
private const char TokenOr = '|';
private const char TokenXor = '^';
private const char TokenNot = '!';
private const char TokenParentheseOpen = '(';
private const char TokenParentheseClose = ')';
abstract class Node
{
public abstract bool Eval(IPrincipal principal);
}
abstract class UnaryNode : Node
{
private readonly Node _expression;
public Node Expression
{
get { return _expression; }
}
protected UnaryNode(Node expression)
{
_expression = expression;
}
}
abstract class BinaryNode : Node
{
private readonly Node _leftExpression;
private readonly Node _rightExpression;
public Node LeftExpression
{
get { return _leftExpression; }
}
public Node RightExpression
{
get { return _rightExpression; }
}
protected BinaryNode(Node leftExpression, Node rightExpression)
{
_leftExpression = leftExpression;
_rightExpression = rightExpression;
}
}
class AndNode : BinaryNode
{
public AndNode(Node leftExpression, Node rightExpression)
: base(leftExpression, rightExpression)
{
}
public override bool Eval(IPrincipal principal)
{
return LeftExpression.Eval(principal) && RightExpression.Eval(principal);
}
}
class OrNode : BinaryNode
{
public OrNode(Node leftExpression, Node rightExpression)
: base(leftExpression, rightExpression)
{
}
public override bool Eval(IPrincipal principal)
{
return LeftExpression.Eval(principal) || RightExpression.Eval(principal);
}
}
class XorNode : BinaryNode
{
public XorNode(Node leftExpression, Node rightExpression)
: base(leftExpression, rightExpression)
{
}
public override bool Eval(IPrincipal principal)
{
return LeftExpression.Eval(principal) ^ RightExpression.Eval(principal);
}
}
class NotNode : UnaryNode
{
public NotNode(Node expression)
: base(expression)
{
}
public override bool Eval(IPrincipal principal)
{
return !Expression.Eval(principal);
}
}
class RoleNode : Node
{
private readonly string _roleName;
public string RoleName
{
get { return _roleName; }
}
public RoleNode(string roleName)
{
_roleName = roleName;
}
public override bool Eval(IPrincipal principal)
{
return principal.IsInRole(RoleName);
}
}
private Node _expression;
void Parse(string text)
{
if (text == null) throw new ArgumentNullException("text");
var delimiters = new[] { TokenSeparator, TokenAnd, TokenOr, TokenXor, TokenNot, TokenParentheseOpen, TokenParentheseClose };
List<string> tokens = new List<string>();
StringBuilder sb = new StringBuilder();
for (int i = 0; i < text.Length; i++)
{
char c = text[i];
if (c == TokenSeparator)
continue;
if (delimiters.Contains(c))
{
if (sb.Length > 0)
{
tokens.Add(sb.ToString());
sb.Clear();
}
tokens.Add(c.ToString(CultureInfo.InvariantCulture));
}
else
{
sb.Append(c);
}
}
if (sb.Length > 0)
{
tokens.Add(sb.ToString());
}
_expression = Parse(tokens.ToArray());
}
Node Parse(string[] tokens)
{
int index = 0;
return ParseExp(tokens, ref index);
}
Node ParseExp(string[] tokens, ref int index)
{
Node leftExp = ParseSubExp(tokens, ref index);
if (index > tokens.Length)
return leftExp;
string token = tokens[index];
if (token == "&")
{
index++;
Node rightExp = ParseSubExp(tokens, ref index);
return new AndNode(leftExp, rightExp);
}
else if (token == "|")
{
index++;
Node rightExp = ParseSubExp(tokens, ref index);
return new OrNode(leftExp, rightExp);
}
else if (token == "^")
{
index++;
Node rightExp = ParseSubExp(tokens, ref index);
return new XorNode(leftExp, rightExp);
}
else
{
throw new Exception("Expected '&' or '|' or EOF");
}
}
Node ParseSubExp(string[] tokens, ref int index)
{
string token = tokens[index];
if (token == "(")
{
index++;
Node node = ParseExp(tokens, ref index);
if (tokens[index] != ")")
throw new Exception("Expected ')'");
index++; // Skip ')'
return node;
}
else if (token == "!")
{
index++;
Node node = ParseExp(tokens, ref index);
return new NotNode(node);
}
else
{
index++;
return new RoleNode(token);
}
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null) throw new ArgumentNullException("httpContext");
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
if (_expression == null)
{
Parse(Roles);
}
if (_expression != null)
{
return _expression.Eval(user);
}
return true;
}
}
否则您可以使用默认的AuthorizeAttribute
// (role1 OR role2) AND (role3 OR role4)
[Authorize(Roles = "Role1, Role2")]
[Authorize(Roles = "Role3, Role4")]