我已在我们的MVC应用程序中覆盖了基于角色的授权的 AuthorizeAttribute 类。
[HttpPOST]
[CustomAuthorize(Roles = "AddCOA")]
public ActionResult Edit([Bind(Include = "N100,S104,S103,S101,S1,S100,D1")] TrM trM)
{
if (ModelState.IsValid)
{
db.Entry(trM).State = EntityState.Modified;
db.SaveChanges();
return RedirectToAction("View",trM);
}
return View(trM);
}
我在查看中使用优惠券列表调用此控制器 方法。现在我必须禁用编辑ActionLink 按钮以查看某个角色,我该如何实现?
@Html.Actionlink("Edit", "Edit", "Controller", new{@class = "btn btn-success"})
现在它会自动将视图重定向到登录页面。
答案 0 :(得分:4)
您可以使用razor检查当前用户是否处于指定角色:
@if (User.IsInRole("AddCOA"))
{
@Html.Actionlink("Edit", "Edit", "Controller", new { @class = "btn btn-success" })
}
else
{
@Html.Actionlink("Edit", "Edit", "Controller", new { @class = "btn btn-success disbled" })
}
答案 1 :(得分:2)
您可以使用自定义ActionLink Extension在服务器端处理它,它会根据角色检查是否显示编辑链接到用户:
public static class LinkExtensions
{
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName)
{
return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, new RouteValueDictionary(), new RouteValueDictionary());
}
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, object routeValues)
{
return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, new RouteValueDictionary(routeValues), new RouteValueDictionary());
}
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName)
{
return htmlHelper.ActionLinkAuthorized(linkText, actionName, controllerName, new RouteValueDictionary(), new RouteValueDictionary());
}
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, RouteValueDictionary routeValues)
{
return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, routeValues, new RouteValueDictionary());
}
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, object routeValues, object htmlAttributes)
{
return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, new RouteValueDictionary(routeValues), new RouteValueDictionary(htmlAttributes));
}
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, RouteValueDictionary routeValues, IDictionary<string, object> htmlAttributes)
{
return htmlHelper.ActionLinkAuthorized(linkText, actionName, null, routeValues, htmlAttributes);
}
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName, object routeValues, object htmlAttributes)
{
return htmlHelper.ActionLinkAuthorized(linkText, actionName, controllerName, new RouteValueDictionary(routeValues), new RouteValueDictionary(htmlAttributes));
}
public static MvcHtmlString ActionLinkAuthorized(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName, RouteValueDictionary routeValues, IDictionary<string, object> htmlAttributes)
{
if (UserInRole()) // your business logic here for role check
{
return htmlHelper.ActionLink(linkText, actionName, controllerName, routeValues, htmlAttributes);
}
return MvcHtmlString.Empty;
}
}
并在View中使用它:
@Html.ActionLinkAuthorized("Edit", "Edit", "Controller", new{@class = "btn btn-success"})
您可以修改自定义属性代码以重定向到显示用户未经授权查看此页面的页面:
public class AuthorizationAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
string actionName = filterContext.ActionDescriptor.ActionName;
string controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
if (!AllowedToAccess()) // if not in specific role show page with message that user is unauthorized to view this page
{
string redirectUrl = string.Format("?returnUrl={0}", filterContext.HttpContext.Request.Url.PathAndQuery);
filterContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl + redirectUrl, true);
}
else
{
base.OnActionExecuting(filterContext); if authorized user allow it to view
}
}
并在Web.Config中为该操作设置url,当用户不在角色中时将调用该操作:
<authentication mode="Forms">
<forms loginUrl="~/UnAuthorized" timeout="2880" />
</authentication>