1

我尝试创建一个简单的过滤器来查看用户是否处于称为“系统管理员”的角色中,基本上是必须做的简写[Authorize(Roles = "System Administrator")]。我认为这会相当简单,但我对 MVC 也很陌生,所以也许我忽略了一些东西。

这是我的代码:

using System.Web.Mvc;

namespace site_redesign_web.Filters
{
    public class SystemAdminFilter : ActionFilterAttribute
    {
        string SysAdminRole = "System Administrator";

        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            if (filterContext.RequestContext.HttpContext.User != null)
            {
                var userSysAdmin = filterContext.RequestContext.HttpContext.User.IsInRole(SysAdminRole) == true;
                filterContext.ActionParameters["IsSysAdmin"] = userSysAdmin;
            }
        }
    }
}

有人可以建议我哪里出错了吗?如果此人不是系统管理员,它会指导他们到Home/NoPermissions.

谢谢!

4

2 回答 2

1

由于您正在处理授权,因此我将扩展AuthorizeAttribute而不是扩展ActionFilterAttribute模式。您只需要覆盖一种方法 -HandleUnauthorizedRequest在授权失败时执行。AuthorizeAttribute 的默认实现已经为您处理了基于角色的授权。

public class SystemAdminAttribute : AuthorizeAttribute
{
    private const string SysAdminRole = "System Administrator";

    public SystemAdminFilter()
    {   
        //this defines the role that will be used to authorize the user:
        this.Roles = SysAdminRole;
    }  

    //if user is not authorized redirect to "Home/NoPermissions" page
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if(!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
        else
        {
            filterContext.Result = new RedirectToRouteResult(new
               RouteValueDictionary(new { controller = "Home", action = "NoPermissions" }));
         }
     }           
}

一旦你的属性被实现,用它装饰相应的控制器或动作:

[SystemAdmin]
public SysAdminController : Controller
{
}
于 2016-10-02T06:42:24.277 回答
1

更新:修复所有问题。AJ。给你...终于解决了问题

using ActionFilterAttribute 
using System.Web.Mvc;
namespace site_redesign_web.Filters
{
    public class SystemAdminFilter : ActionFilterAttribute
    {
        string SysAdminRole = "System Administrator";
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            if (filterContext.RequestContext.HttpContext.User != null)
            {
                var userSysAdmin = filterContext.RequestContext.HttpContext.User.IsInRole(SysAdminRole) == true;

            if(!userSysAdmin)
            {
                filterContext.Result = new RedirectToRouteResult(
                    new System.Web.Routing.RouteValueDictionary{
                    {"controller", "Home"},     
                    {"action", "Index"}
                });
            }
            }
        }
    }
}

你的控制器应该是

[SystemAdminFilter]     // at controller level
public SomeController : Controller
{

}

或者您也可以通过这样的注释将其用于特定的操作

public SomeController : Controller
{
    [SystemAdminFilter]     // at Action level
    public ActionResult SomeAction()
    {
            // perform your actions
    }

它将起作用,因为我在 Global.asax的Application_AuthorizeRequest中手动传递了具有他角色的用户

protected void Application_AuthorizeRequest(Object sender, EventArgs e)
{
     FormsAuthenticationTicket formsAuthenticationTicket = new FormsAuthenticationTicket("Aravind", true, 30);
     FormsIdentity formsIdentityId = new FormsIdentity(formsAuthenticationTicket);
     GenericPrincipal genericPrincipal = new GenericPrincipal(formsIdentityId, new string[] { "SystemUser" }); //TEST with this redirected to Home Index place
     HttpContext.Current.User = genericPrincipal ;
}

我做的下一个测试是用这个

GenericPrincipal genericPrincipal = new GenericPrincipal(formsIdentityId, new string[] { "System Administrator" }); //TEST with this did not perform an action
于 2016-10-02T11:14:34.150 回答