我有一个安全的应用程序,每个操作都有一个Authorize
属性。
[Authorize(Roles = "Role1,Role2")]
public ActionResult MyAction(int id)
{
return View();
}
在我的UI中,我有这些控制器/操作的链接。我想为接受控制器和操作名称的链接创建一个自定义HtmlHelper:
@Html.SecuredLink("Click Me", "MyAction", "MyController");
这将根据用户是否拥有对给定操作的许可来确定天气是否呈现自己:
public static MvcHtmlString SecuredLink(this HtmlHelper helper, string text, string action, string controller)
{
var userId = Membership.GetUserId();
var userHasRightsToThisAction = IsActionAccessibleToUser(helper.ViewContext.RequestContext.HttpContext, controller, action); // <- How would this work?
if (userHasRightsToThisAction )
{
// Render Link
// ...
}
}
我一直无法找到从代码中轻松测试授权状态的操作的方法。
答案 0 :(得分:3)
好的找到了解决方案。在我知道安全修整的MvcSiteMap周围挖掘之后,我发现了这篇文章:
我使用了一些稍微修改过的代码来创建给我所需结果的方法:
/// <summary>
/// Determine if a controller/action is accessible for a user
/// </summary>
/// <param name="context">Current HttpContext</param>
/// <param name="controllerName">Target controller</param>
/// <param name="actionName">Target action</param>
/// <returns>True/false if the action is accessible</returns>
public static bool IsActionAccessibleToUser(HttpContextBase context, string controllerName, string actionName)
{
// Find current handler
MvcHandler handler = context.Handler as MvcHandler;
if (handler != null)
{
// try to figure out the controller class
IController controller = null;
try
{
controller = ControllerBuilder.Current.GetControllerFactory().CreateController(handler.RequestContext, controllerName);
}
catch (System.Web.HttpException e)
{
throw new Exception("The controller '" + controllerName + "Controller' was not found.", e);
}
// Find all AuthorizeAttributes on the controller class and action method
object[] controllerAttributes = controller.GetType().GetCustomAttributes(typeof(AuthorizeAttribute), true);
object[] actionAttributes = controller.GetType().GetMethod(actionName).GetCustomAttributes(typeof(AuthorizeAttribute), true);
// No attributes, then the action is open to all
if (controllerAttributes.Length == 0 && actionAttributes.Length == 0) return true;
// Find out current principal
IPrincipal principal = handler.RequestContext.HttpContext.User;
// Do we pass the roles for the controller?
string roles = "";
if (controllerAttributes.Length > 0)
{
AuthorizeAttribute attribute = controllerAttributes[0] as AuthorizeAttribute;
roles = attribute.Roles;
if (!PassRoleValidation(principal, roles)) return false;
}
// Do we pass the roles for the action?
if (actionAttributes.Length > 0)
{
AuthorizeAttribute attribute = actionAttributes[0] as AuthorizeAttribute;
roles = attribute.Roles;
if (!PassRoleValidation(principal, roles)) return false;
}
return true;
}
return false;
}
private static bool PassRoleValidation(IPrincipal principal, string roles)
{
// no roles, then all we need to be is authenticated
if (string.IsNullOrEmpty(roles) && principal.Identity.IsAuthenticated) return true;
string[] roleArray = roles.Split(',');
// if role contains "*", it's open to all
if (roleArray.Any(role => role == "*")) return true;
// Determine if the current user is allowed to access the current node
if (roleArray.Any(principal.IsInRole)) return true;
return false;
}
答案 1 :(得分:0)
好的,快速而污垢的解决方案:
准备用于构建Urls服务器端的功能
这样的事情可能是最好的选择:
public static string GetUrl(string Action, string Controller, object RouteValues) {
UrlHelper Url = new UrlHelper(HttpContext.Current.Request.RequestContext);
return Url.Action(Action, Controller, RouteValues);
}
在你的助手中,获取用户身份验证信息并返回构建的url或string.Empty。
public static string SecureLink(this HtmlHelper helper, string Action, string Controller, object RouteValues)
{
YourUserObject LoggedUser = /* Whatever you need to obtain your UserId */
if (LoggedUser.IsSuperUser) {
return GetUrl(Action, Controller, RouteValues);
}
return string.empty;
}
如果您的结果是HTML编码,只需使用MvcHtmlString代替字符串作为返回值。
否则,请注意,您可能需要使用@Html.Raw
来发送它。
PS:显然我没有在此示例代码中添加完整的<a href .../>
代,由您决定需要哪些参数(将它们添加到Helper签名),我通常会复制其他{{的签名1}}帮助器(所以Name,Value和HtmlAttributes列表)。