0

我有一个具有授权属性的控制器:

Authorize(AuthorizationPolicies.Viewer)]
[HttpGet("retrieve/{id}")]
public ActionResult<ISomeInterface> Retrieve(int id)

并有授权政策:

public static void AddViewerPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Viewer, p => BuildPolicy(p, Permissions.Viewer));
}

public static void AddAdminPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Admin, p => BuildPolicy(p, Permissions.Admin));
}

如果我有“管理员”策略,我需要访问标有“查看器”授权策略的控制器。

我试过这个:

public static void AddAdminPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Admin, p => BuildPolicy(p, Permissions.Admin));

    options.AddPolicy(AuthorizationPolicies.Viewer, p => BuildPolicy(p, Permissions.Viewer));
}

这是BuildPolicy

private static void BuildPolicy(AuthorizationPolicyBuilder policy, int permission)
{
    policy.AddAuthenticationSchemes(Defaults.SchemeName); 
    policy.AddRequirements(new AuthorizationRequirement
    {
        Require = Access.Always,
        PermissionsRequired = new[] { permission }
    });
}

    public class AuthorizationHandler
  {
    protected override Task HandleRequirementAsync(
      AuthorizationHandlerContext context,
      AuthorizationRequirement requirement)
    {
      ClaimsPrincipal user = context.User;
      if (user == null)
      {
        context.Fail();
        return Task.CompletedTask;
      }
      Identity Identity = user.Identities.OfType<Identity>().FirstOrDefault<Identity>();

      if (requirement.PermissionsRequired != null && ((IEnumerable<int>) requirement.PermissionsRequired).Any<int>())
      {
        if (requirement.Require != Access.Always)
        {
          context.Fail();
          return Task.CompletedTask;
        }
        Client client;
        if (!user.TryGetClient(out client))
        {
          context.Fail();
          return Task.CompletedTask;
        }
        if (client.Permissions == null)
        {
          context.Fail();
          return Task.CompletedTask;
        }
        if (!((IEnumerable<int>) requirement.PermissionsRequired).Any<int>((Func<int, bool>) (rap => client.Permissions.Contains(rap))))
        {
          context.Fail();
          return Task.CompletedTask;
        }
      }
      if (requirement.AllowImpersonatedUser && Identity.Client != null && Identity.IsImpersonated)
      {
    context.Succeed((IAuthorizationRequirement) requirement);
    return Task.CompletedTask;
      }
      context.Fail();
      return Task.CompletedTask;
    }
  }

但结果是 403 错误。那么你可能有另一个更好的主意吗?

4

1 回答 1

0

您是否尝试过添加一个具有两个权限 ID 的策略作为数组,而不是添加两个策略,这两个策略都具有一个权限 ID?

public static void AddAdminPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Admin, p => BuildPolicy(p, new [] { Permissions.Admin, Permissions.Viewer }));
}

private static void BuildPolicy(AuthorizationPolicyBuilder policy, int[] permissions)
{
    policy.AddAuthenticationSchemes(Defaults.SchemeName); 
    policy.AddRequirements(new AuthorizationRequirement
    {
        Require = Access.Always,
        PermissionsRequired = permissions
    });
}
于 2019-07-12T14:22:09.697 回答