2

MSDN 说:

若要限制对 ASP.NET MVC 视图的访问,请限制对呈现视图的操作方法的访问。为此,MVC 框架提供了 AuthorizeAttribute 类。

我正在使用一个正在加载嵌套局部视图的应用程序(因为没有更好的术语)

public ActionResult Index(int id)
{
....stuff.....

return PartialView("PartialViewName", model);

}

在上面加载的部分视图中,嵌套如下:

PartialView.cshtml

@Html.Partial("AnotherPartial", Model)
  -@Html.Partial("AnotherPartial_Partial", Model)
    -@Html.Partial("AnotherPartial_Partial_Partial", Model)
@Html.Partial("YetAnotherPartial", Model)
@Html.Partial("StillAnotherPartial", Model)

当我想允许访问一个局部视图但不允许访问另一个时,我该怎么做?这些部分中的特定元素呢?像按钮、面板、div、文本框等...

我在我的数据库中定义了用户和角色,所以我知道谁可以访问什么元素/部分视图。

目前我正在使用自己的 Html Helper 来显示或隐藏部分视图:

public static MvcHtmlString ShowHidePartial(this HtmlHelper helper, string   partialName, TheUser user)
    {
        bool? isVisible = false;

        //If I don't know who you are or what you are trying to view
        if (user == null || string.IsNullOrEmpty(partialName))
        {
            return MvcHtmlString.Empty;
        }

        if (IsAdmin(user))
        {
            return MvcHtmlString.Create(helper.Partial(partialName).ToString());
        }
        else
        {
            isVisible = IsVisible(partialName, user);
        }

        if (isVisible == true)
        {
            return MvcHtmlString.Create(helper.Partial(partialName).ToString());
        }

        return  MvcHtmlString.Empty;
    }

我可能会坚持使用这种方法来渲染部分,但我仍然不确定如何继续限制对这些部分中元素的访问/可见性。

例如,如果用户有权访问 AnotherPartial.cshtml,并且该部分有 4 个部分允许用户查看/编辑信息(如会员地址、会员状态、会员电话和会员出生日期),所有这些都带有 update/保存按钮。这些部分是 AnotherPartial.cshtml 独有的。

假设我只想允许用户查看(只读)2 个部分,编辑(ReadWrite)1 个部分,并完全隐藏第 4 个部分(隐藏?...无访问权限)。我将如何实现这一目标?

我正在使用 Windows 身份验证来访问应用程序。

4

1 回答 1

0

I'm not sure if you have actions that go with those partials, but it looks like you want to use Html.Partial so that you don't have to rebuild your model over and over again. One thing I would do in your case is pass in the roles you want to show those partial's. You have to be careful in this case because this doesn't fully comply with the concept of Separation of Concerns, because you're providing some business logic within the view. But it seems that you've already gone down this route. So to extend your method a little bit you can do the following. I'm assuming that your TheUser class has a Roles property.

public static MvcHtmlString ShowHidePartial(this HtmlHelper helper, string   partialName, TheUser user, string [] roles)
{
            if(roles = null)
            {
                  return MvcHtmlString.Empty;
            }

    //If I don't know who you are or what you are trying to view        
    if(user != null && !string.IsNullOrEmpty(partialName) && user.Roles.Any(r=> roles.Contains(r)) )
    {
        return MvcHtmlString.Create(helper.Partial(partialName).ToString());
    }

    return  MvcHtmlString.Empty;
}

So now your view would look something like this:

@Html.ShowHidePartial("AnotherPartial", Model, new string[] {"AuthorizedRole1", "AuthorizedRole2"})
  -@Html.ShowHidePartial("AnotherPartial_Partial", Model, new string[] {"AuthorizedRole1"})
    -@Html.ShowHidePartial("AnotherPartial_Partial_Partial", Model, new string[] {"AuthorizedRole1", "AuthorizedRole3"})
@Html.ShowHidePartial("YetAnotherPartial", Model, new string[] {})
@Html.ShowHidePartial("StillAnotherPartial", Model, new string[] {})

Option 2 Build views based on the roles for example an AdminView.cshtml that contains the partials that the admin view needs. Then in your business logic code decide on which view to execute. This would happen outside of the view code completely and etter conform to the concept of Separation of Concerns.

于 2013-06-01T02:04:09.187 回答