c# - 使用 MVC 4 的自定义页面访问安全性

Question

我有一个系统，其中所有页面( View )和所有控件(按钮、链接、菜单项...)都应用了安全角色。

所以我有一个管理界面，其中注册了所有页面和控件。每个用户都有一组单独的权限。

所以，例如:

我有一个 View EditCar，有 3 个按钮:“新建”、“删除”和“返回”。

因此用户 X 有权查看 EditCar，并且只有“返回”按钮

所以每个新 View 都必须注册，并与用户关联。没有角色，因为每个用户都是 100% 可配置的。

所以，我有一个 FilterAttribute:

public class CustomAuthorize : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {

            var userPermissions = repository.GetAll().Where(x => x.Name.Equals(User.Identity.Name);                

            //   if (!userPermissions.Pages.Any(x => x.NamePage.Contains(???))))               
        }
        else
        {
            filterContext.Result = new HttpUnauthorizedResult();          
        }
    }
}

所以我的问题是: - 我应该在数据库中保留什么来识别每个 View(Action) ？也许3个值？区域 Controller Action ？

这是最好的选择吗？关于该解决方案还有其他想法吗？

谢谢

Answer 1

我的网络应用程序中有相同的场景，它以下列方式工作:

我们在数据库中有:

权限包含查看、添加、编辑、删除

Feature 包含所有可以设置角色的特征

FeaturePermission 给特征绑定(bind)权限，比如哪个特征有什么权限

UserRole 具有用户的角色

RoleFeaturePermission表示哪个角色有什么权限允许

现在在代码中，当用户进行身份验证时，我会生成分配给它的具有功能的权限列表，然后我定义了一个枚举，例如:

public enum FeatureValue
{
    Custom = 1,
    Schedule = 2,
    Export=3          
}

public enum PermissionValue
{
    View = 1,
    Add = 2,
    Edit = 3,
    Delete = 4
}

和获取授权的 UserPermission 静态类:

  public static bool VerifyPermission(FeatureValue feature, PermissionValue permission, int id) {
      return getFeaturePermissionsForReport(feature, permission, id);
  }


  private static bool getFeaturePermissionsForReport(FeatureValue feature, PermissionValue permission, int id) {
      SessionHelper sessionHelper = new SessionHelper(null);
      UserModel userModel = sessionHelper .getUser()//get user from session.

      if (userModel != null && userModel.IsAuthorized == false) return false;

      UserProfile userProfile = sessionHelper.Get<UserProfile> ();

      if (userProfile != null && userProfile.AssignedRoleList != null) {
          List<Core.Entities.FeaturePermission> featurePermission = userProfile.AssignedRoleList.SelectMany(b => b.RoleFeaturePermission).ToList();


          if (featurePermission != null) {
              if (featurePermission.Count(f = > f.Feature.Id == (int) feature && f.Permission.Id == (int) permission) > 0) {
                  bool isAllowed= false;

                  int featurePermissionId = featurePermission.Where(f = > f.Feature.Id == (int) feature && f.Permission.Id == (int) permission).Select(i = > i.Id).FirstOrDefault();
                  isAllowed = (reports.Count(r = > (r.FeaturePermissionId == featurePermissionId && r.Id == id)) > 0) ? true : false;

                  return isAllowed;
              }
          }
      }

      return false;
  }

现在每个链接、按钮或操作使用一个:

 @if (UserPermission.VerifyPermission(FeatureValue.Custom, PermissionValue.Edit))
 {
    //action  link to edit custom view
 }

对于 Action 自定义属性是:

  [AttributeUsage(AttributeTargets.All,AllowMultiple=true)]
    public class CustomFeaturePermissionAttribute : ActionFilterAttribute
    {
        private FeatureValue[] feature;
        private PermissionValue[] permission;
        private bool excludeParamId;
        /// <summary>
        /// Set values of featurelist and permission list
        /// </summary>
        /// <param name="featureList"></param>
        /// <param name="permissionList"></param>
        public CustomFeaturePermissionAttribute(object featureList,object permissionList, int excludeParamId)
        {
            FeatureList = (FeatureValue[])featureList;
            PermissionList = (PermissionValue[])permissionList;
            ExcludeParamId = excludeParamId;
        }
        public FeatureValue[] FeatureList
        {
            get
            {
                return feature;
            }
            set
            {
                feature = value;
            }
        }

        public bool ExcludeParamId
        {
            get
            {
                return excludeParamId;
            }
            set
            {
                excludeParamId = value;
            }
        }

        public PermissionValue[] PermissionList
        {
            get
            {
                return permission;
            }
            set
            {
                permission = value;
            }
        }
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            base.OnActionExecuting(filterContext);

            bool isAccessAllowed = false;
            FeatureValue feature;
            PermissionValue permission;

            for (int i = 0; i < FeatureList.Count(); i++)
            {
                feature = FeatureList[i];
                permission = PermissionList[i];

                    isAccessAllowed = UserPermission.VerifyPermission(feature, permission, Convert.ToInt16(ExcludeParamId));

                if (isAccessAllowed)
                    break;
            }

            if (!isAccessAllowed)
            {
                filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { action = "UnauthorizedAccess", controller = "Security" }));
            } 

        }
    }

并且在操作上允许角色对自定义和导出具有查看权限:

[CustomFeaturePermission(new FeatureValue[] { FeatureValue.Custom, FeatureValue.Export }, new PermissionValue[] { PermissionValue.View, PermissionValue.View},pageId)]
public ActionResult Custom()
{
   //action body
}