很快就想通了:O
我创建了另一个授权属性:
public sealed class OverrideAuthorize : AuthorizeAttribute
{
}
并将其用作 LogonAuthorize 中的测试:
public override void OnAuthorization(AuthorizationContext filterContext)
{
bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true)
|| filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true)
|| filterContext.ActionDescriptor.IsDefined(typeof(OverrideAuthorize), true)
|| filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(OverrideAuthorize), true);
if (!skipAuthorization)
{
base.OnAuthorization(filterContext);
}
}
现在我只需要使用 OverrideAuthorize(或 AllowAnonymous)标记我列入白名单的操作:
[OverrideAuthorize(Roles = "Staff, Administrator")]
public ActionResult Index()
{
return View();
}
因此,LogonAuthorize 属性默认适用于所有控制器和操作,并且需要角色“Admin”,但它仅在未定义 AllowAnonymous 或 OverrideAuthorize 时授权。