对于我的应用程序,我需要设置基于角色的授权。我在网上看到了一些样品,但我的要求有点不同。我有像经理、管理员、提交者等角色。然后我有像区域经理、国家经理、区域管理员、国家管理员、区域提交者、国家提交者等子角色。所以像角色和子角色。
我的问题是,当我在 .net MVC 中设计这个时,我应该将子角色视为角色并根据区域和子区域定义 10 个不同的角色,还是应该将角色(如管理员、提交者和经理)分组,然后处理子角色分别在代码中?
什么是正确的设计?
有什么样品可以看吗?
谢谢。
问问题
608 次
1 回答
2
I've been plagued with this same situation for many apps. Although my roles have different names. Using your naming structure, I would be inclined to follow the former structure of your suggestion.
If a user is in the following roles: Manager, Country.
Your user will still be allowed in actions marked with [Authorize(Roles = "Manager, Regional")], but would not be allowed in actions marked with [Authorize(Roles = "Regional Manager")]
I haven't been able to find a way to prohibit roles using the [Authorize] attribute (as in, if not in role, or is in role AND in role).
Another thought, if you have a controller specific to managers, you can set the [Authorize(Roles = "Manager")] attribute on the controller and on actions as [Authorize(Roles = "Regional")] or [Authorize(Roles = "Country"] as needed.
This, I think, will allow a user only if they are in both (for instance) the 'Manager' and 'Regional' roles in some actions requiring that the user be in both those roles. This way you could have a 'Manager', 'Regional', and 'Country' roles separated. Which should make it easier to assign a user to the roles as needed.
于 2013-07-02T08:14:40.263 回答