使用基于角色的属性的.net核心授权不起作用

时间:2019-05-10 05:23:45

标签: asp.net kendo-ui asp.net-identity asp.net-core-2.0

我通过用户角色设置了.Net核心授权。我在页面级别设置了受角色限制的authorize属性,并且我的方法仅受一个角色限制。

我正在通过kendo数据源原始粗体传输调用使用ajax调用。用户确实对方法调用具有正确的属性或角色,但是对方法的了解有些不同。

我必须仔细检查该方法,这是我现在可以保护我的应用程序的唯一方法。 

    [HttpGet]
            [AutoValidateAntiforgeryToken]
            [Authorize(Roles="Administrators")]
            public async Task<IActionResult> OnGetDeleteCustomerAsync(cbs_Customers customers)
            {
                if (!ModelState.IsValid)
                {
                    return Page();
                }

                if (User.Identity.IsAuthenticated)
                    if (!(User.IsInRole(Intrafiz.Authorization.Constants.ContactAdministratorsRole)))
                    {
                        return Unauthorized();
                    }


                if (customers is cbs_Customers)
                {
                    Customer = customers;
                }
                else
                {
                    Response.StatusCode = (int)System.Net.HttpStatusCode.BadRequest;
                    return new JsonResult(new
                    {
                        success = false,
                        error = "(Deleting customer): failed to locate customer !"
                    });
                }

                try
                {
                    _context.cbs_Customers.Remove(Customer);
                    await _context.SaveChangesAsync();

                }
                catch (DbUpdateConcurrencyException ex)
                {
                    if (!cbs_CustomersExists(Customer.CustomerId))
                    {
                        return new JsonResult(new
                        {
                            success = false,
                            error = "(Updating customer): failed to locate customer !"
                        });
                    }
                    else
                    {
                        return new JsonResult(new
                        {
                            success = false,
                            error = "(Updating customer): failed to locate customer !" + "\r\n" + ex.Message?.ToString()
                        });
                    }
                }

                return new JsonResult(Customer);

            }

这是在网站的配置中

services.AddIdentity<ApplicationUser, IdentityRole>(config =>
            {
                config.SignIn.RequireConfirmedEmail = true;
                config.Lockout.MaxFailedAccessAttempts = 5;
                config.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromDays(7);
                config.Lockout.AllowedForNewUsers = true;
                config.User.RequireUniqueEmail = true;

            }).AddEntityFrameworkStores<ApplicationDbContext>()
              .AddDefaultTokenProviders();

services.AddAuthenticationCore(); 

        // Authorization handlers.
        services.AddScoped<IAuthorizationHandler,
                              ContactIsOwnerAuthorizationHandler>();

        services.AddSingleton<IAuthorizationHandler,
                              ContactAdministratorsAuthorizationHandler>();

        services.AddSingleton<IAuthorizationHandler,
                              ContactManagerAuthorizationHandler>();

这是来自kendo dataSource 

destroy: {
                    url: window.location.origin + "/Energy/Index?handler=DeleteCustomer",
                    type: "GET"
            },

通过检查User.Identity.IsAuthorized对用户进行身份验证, 但角色不是管理员或管理员,但仍然是来自数据源的调用仍在访问该方法

0 个答案:

没有答案
相关问题
最新问题