应该如何构建 ASP.NET MVC 路由以允许对业务分支进行基于角色的精细访问控制?
每个业务实体都与分支机构相关,无论是单独还是通过其父实体。是否有一种优雅的方法可以根据用户角色为任意数量的分支授权操作?
1. 路线中的{branch}?
{branch}/{controller}/{action}/{id}
行动:
[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
// Authorize will test if User has Technician role in branch context
// ...
}
2. 从业务实体中检索分支?
{controller}/{action}/{id}
行动:
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
if (!User.HasAccessTo("WidgetAction", obj.Branch))
throw new HttpException(403, "No soup for you!"); // or redirect
// ...
}