1

在我的 MVC3 wep 应用程序中,我扩展了 Authorize 属性,如下所示

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (Authenticate.IsAuthenticated() && httpContext.User.Identity.IsAuthenticated)
        {
            var authCookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName];
            if (authCookie != null)
            {
                var ticket = FormsAuthentication.Decrypt(authCookie.Value);
                var roles = ticket.UserData.Split('|');
                var identity = new GenericIdentity(ticket.Name);
                httpContext.User = new GenericPrincipal(identity, roles);
            }
        }
        return base.AuthorizeCore(httpContext);
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {

        if (!Authenticate.IsAuthenticated())
            HandleUnauthorizedRequest(filterContext);


        base.OnAuthorization(filterContext);

    }

在我的行动中,我使用它就像

    [MyAuthorize(Roles = "Member,Inspector,SalesRep,Admin,SuperAdmin")]
    public ActionResult OrderUpload()

现在,我必须在每个操作中指定每个用户角色。我想做的是指定如下内容

    [MyAuthorize(Roles = "Member")]
    public ActionResult OrderUpload()

这应该允许任何等于或高于“成员”的用户角色。因此,应允许“SalesRep”,而不应允许“会员”之下的“访客”。

所有用户角色都是数字增加的枚举

public enum UserAccountType
{
    Visitor = 5,
    Member = 10,
    Inspector = 15,
    SalesRep = 20,
    Admin = 25,
    SuperAdmin = 30
}

如何修改 MyAuthorizeAttribute 以使其工作?

谢谢

4

2 回答 2

2

这是我的工作代码

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (Authenticate.IsAuthenticated() && httpContext.User.Identity.IsAuthenticated)
        {
            var authCookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName];
            string[] roles = null;

            if (authCookie != null)
            {
                var ticket = FormsAuthentication.Decrypt(authCookie.Value);
                roles = ticket.UserData.Split('|');
                var identity = new GenericIdentity(ticket.Name);
                httpContext.User = new GenericPrincipal(identity, roles);
            }

            if (Roles == string.Empty)
                return true;

            //Assuming Roles given in the MyAuthorize attribute will only have 1 UserAccountType - if more than one, no errors thrown but will always return false
            else if ((UserAccountType)Enum.Parse(typeof(UserAccountType), roles[0]) >= (UserAccountType)Enum.Parse(typeof(UserAccountType), Roles))
                return true;
            else
                return false;
        }
        else
            return false;

        //return base.AuthorizeCore(httpContext);
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!Authenticate.IsAuthenticated())
            HandleUnauthorizedRequest(filterContext);

        base.OnAuthorization(filterContext);
    }
}
于 2012-12-11T15:23:55.573 回答
1

我不使用 AuthorizeAttribute 而是使用 ActionFilter(这只是我,这就是我学习它的方式)但我要做的是在 AuthorizeAttribute 上添加一个属性,当在操作之前触发属性时会更新该属性。

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    private string Role = "";

    public MyAuthorizeAttribute(string role){
        this.Role = role;
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
          :
          :
          :
          // now do a check if the Role is authorized or not using your enum. 
          // return error page if not
          if(RoleisAuthorized)
            return; 
          else
            // error page

    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
          :
          :
          :
    }
}

现在获得角色后,从枚举中获取它并比较是否允许角色访问页面,如果不返回错误页面。因此,由于我不熟悉 OnAuthorization,因此我会将流程放在 AuthorizeCore 中。

于 2012-11-30T21:53:30.240 回答