我正在跟踪用户是否可以使用自定义AuthorizeAttribute和数据库中包含其用户名和角色的表来访问网站的某些页面。如果我更改用户的角色,无论是通过SQL还是应用程序页面,应用程序似乎都不会在一段时间内提取它,它会有所不同。它可能会马上拿起或需要5-10分钟或更糟。这个问题是在他们的角色被改变之后,他们仍然能够访问他们不应该被允许的页面。如果您在表中查询所做的更改,则更改将在数据库端生效。这似乎不会发生在我项目中的任何其他地方。编辑另一个表似乎很好地反映了这些变化。
自定义授权属性:
private QIEducationEntities db = new QIEducationEntities();
public String Roles { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
String userName = httpContext.User.Identity.Name.Split('\\')[1];
User user = db.Users.Include("UserRole").FirstOrDefault(u => u.UserName == userName);
if (user != null) {
String[] rolesList = Roles.Split(',');
foreach (String role in rolesList)
{
if (user.UserRole.UserRole1 == role)
{
return true;
}
}
}
return false;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
Uri requestUrl = filterContext.HttpContext.Request.UrlReferrer;
if (requestUrl != null)
{
filterContext.Result = new RedirectResult(requestUrl.ToString());
filterContext.Controller.TempData["PopupMessage"] = "You are not currently authorized to view that page.";
}
else
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary {
{ "action", "NotAuthorized" },
{ "controller", "Admin" }
});
}
}
编辑用户的角色操作(同时显示属性):
//
//GET: Admin/EditUser
[AuthorizeUser(Roles = "Admin")]
public ActionResult EditUser(int id)
{
User user = db.Users.Single(u => u.UserID == id);
if (user == null)
{
return HttpNotFound();
}
ViewBag.Roles = new SelectList(db.UserRoles, "UserRoleID", "UserRole1", user.UserRole);
return View(user);
}
//
//POST: Admin/EditUser
[AuthorizeUser(Roles = "Admin")]
[HttpPost]
public ActionResult EditUser(User user)
{
if (ModelState.IsValid)
{
db.Users.Attach(user);
db.ObjectStateManager.ChangeObjectState(user, EntityState.Modified);
db.SaveChanges();
return RedirectToAction("AllUsers");
}
ViewBag.Roles = new SelectList(db.UserRoles, "UserRoleID", "UserRole1", user.UserRole);
return View(user);
}
视图(如果相关):
@using (Html.BeginForm())
{
@Html.ValidationSummary(true)
@Html.HiddenFor(model => model.UserID)
<table class="table">
<tr>
<th class="table-row">
User Name:
</th>
<td class="table-row">
@Html.DisplayFor(model => model.UserName)
@Html.HiddenFor(model => Model.UserName)
@Html.ValidationMessageFor(model => model.UserName)
</td>
</tr>
<tr>
<th class="table-row">
Role:
</th>
<td class="table-row">
@Html.DropDownListFor(model => model.Role,
@ViewBag.Roles as SelectList, "",
new { @class = "chzn-select", data_placeholder = " -- Select Role -- " })
@Html.ValidationMessageFor(model => model.UserRole)
</td>
</tr>
<tr><td class="table-row-blank"></td></tr>
<tr>
<td class="table-row-button">
<input class="button" type="submit" value="Submit" />
<input type="button" class="button" value="Cancel"
onclick="location.href='@Url.Action("AllUsers")'" />
</td>
</tr>
</table>
}
@section Scripts {
<script type="text/javascript">
$(document).ready(function () {
//DropDownList chosen plugin hook-up
$('.chzn-select').prepend("<option></option>")
$('.chzn-select').chosen({ width: "100%" });
});
</script>
}
那么,在编辑我的项目中的数据库上下文是否没有获取更改时,是否会略微偏离?
或者在&#34;更新&#34;之间是否经过了一些时间。数据库上下文中的值?
提前致谢。
答案 0 :(得分:2)
尝试在group 1方法中实例化(并处置)您的QIEducationEntities类。该框架正在缓存AuthorizeUser操作过滤器和AuthorizeCore实例变量。将其移至db将确保为每个请求创建它。