我尝试创建一个简单的过滤器,以查看用户是否处于一个名为“系统管理员”的角色,基本上是必须做[Authorize(Roles = "System Administrator")]的简写。我认为这很简单,但我对MVC也很新,所以也许我忽略了一些东西。
这是我的代码:
using System.Web.Mvc;
namespace site_redesign_web.Filters
{
public class SystemAdminFilter : ActionFilterAttribute
{
string SysAdminRole = "System Administrator";
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.RequestContext.HttpContext.User != null)
{
var userSysAdmin = filterContext.RequestContext.HttpContext.User.IsInRole(SysAdminRole) == true;
filterContext.ActionParameters["IsSysAdmin"] = userSysAdmin;
}
}
}
}
有人可以建议我哪里出错吗?如果该人不是系统管理员,则会将其引导至Home/NoPermissions。
谢谢!
答案 0 :(得分:1)
由于您正在处理授权,我会延长AuthorizeAttribute而不是ActionFilterAttribute,这是模式一般的。您只需覆盖一个方法 - HandleUnauthorizedRequest,授权失败时执行该方法。 AuthorizeAttribute的默认实现已经为您处理基于角色的授权。
public class SystemAdminAttribute : AuthorizeAttribute
{
private const string SysAdminRole = "System Administrator";
public SystemAdminFilter()
{
//this defines the role that will be used to authorize the user:
this.Roles = SysAdminRole;
}
//if user is not authorized redirect to "Home/NoPermissions" page
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if(!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
base.HandleUnauthorizedRequest(filterContext);
}
else
{
filterContext.Result = new RedirectToRouteResult(new
RouteValueDictionary(new { controller = "Home", action = "NoPermissions" }));
}
}
}
实现属性后,用它装饰相应的控制器或操作:
[SystemAdmin]
public SysAdminController : Controller
{
}
答案 1 :(得分:1)
更新:修复所有问题。 AJ。干得好... 最后解决了问题
using ActionFilterAttribute
using System.Web.Mvc;
namespace site_redesign_web.Filters
{
public class SystemAdminFilter : ActionFilterAttribute
{
string SysAdminRole = "System Administrator";
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.RequestContext.HttpContext.User != null)
{
var userSysAdmin = filterContext.RequestContext.HttpContext.User.IsInRole(SysAdminRole) == true;
if(!userSysAdmin)
{
filterContext.Result = new RedirectToRouteResult(
new System.Web.Routing.RouteValueDictionary{
{"controller", "Home"},
{"action", "Index"}
});
}
}
}
}
}
您的控制器应为
[SystemAdminFilter] // at controller level
public SomeController : Controller
{
}
或者您也可以通过此类注释将其用于特定的操作
public SomeController : Controller
{
[SystemAdminFilter] // at Action level
public ActionResult SomeAction()
{
// perform your actions
}
它会起作用,因为我在Global.asax
中的 Application_AuthorizeRequest 中手动传入了User。protected void Application_AuthorizeRequest(Object sender, EventArgs e)
{
FormsAuthenticationTicket formsAuthenticationTicket = new FormsAuthenticationTicket("Aravind", true, 30);
FormsIdentity formsIdentityId = new FormsIdentity(formsAuthenticationTicket);
GenericPrincipal genericPrincipal = new GenericPrincipal(formsIdentityId, new string[] { "SystemUser" }); //TEST with this redirected to Home Index place
HttpContext.Current.User = genericPrincipal ;
}
我做的下一个测试是用这个
GenericPrincipal genericPrincipal = new GenericPrincipal(formsIdentityId, new string[] { "System Administrator" }); //TEST with this did not perform an action