gpt4 book ai didi

c# - Identity 3 MVC 6 中的授权策略

转载 作者:行者123 更新时间:2023-11-30 16:04:56 25 4
gpt4 key购买 nike

我已经做了很多研究,但仍然不确定我这样做是否正确。我找到的最好的资源就在这里

http://leastprivilege.com/2015/10/12/the-state-of-security-in-asp-net-5-and-mvc-6-authorization/

鉴于 ApplicationUser 类扩展为包括授权帐号列表,我想限制用户仅查看基于其授权帐户的报表(和其他操作)。我认为这是一种非常常见的设计,但是网上的大多数文章都引用了以前版本的身份。

(PS 我在 Controller 构造函数中注入(inject) UserManager)

这是我的 Action

public IActionResult GetStatement(int accountNo,DateTime startDate,DateTime endDate)
{
var user = userManager.Users
.Include(u => u.AuthorisedAccounts)
.Where(u => u.Id == User.GetUserId())
.FirstOrDefault();
if (user.AuthorisedAccounts != null)
{
foreach (var account in user.AuthorisedAccounts)
{
if (account.AccountNo == accountNo)
return View(statementService.GetStatement(accountNo, startDate, endDate, 0));
}
}
return HttpUnauthorized();
}

我不禁觉得有更好的方法吗? 基本上我想根据操作参数进行授权。“accountNo”

有关采取何种方法的任何提示。

最佳答案

在这种情况下,您将使用基于资源的方式,帐户就是资源。此文档位于 https://docs.asp.net/en/latest/security/authorization/resourcebased.html

首先,您需要定义一个读取操作,

public static class Operations
{
public static OperationAuthorizationRequirement Read =
new OperationAuthorizationRequirement { Name = "Read" };
}

现在您将拥有一个 AccountAccess 策略

public class AccountAuthorizationHandler : AuthorizationHandler<
OperationAuthorizationRequirement, Account>
{
IUserManager _userManager;

public AccountAuthorizationHandler(IUserManager userManager)
{
_userManager = userManager;
}

protected override void Handle(AuthorizationContext context,
OperationAuthorizationRequirement requirement,
Account resource)
{
// Pull the user ID claim out from the context.User
var userId = context.User.....
// Get the current user's account numbers.
var user = userManager.Users
.Include(u => u.AuthorisedAccounts)
.Where(u => u.Id == userId)
.FirstOrDefault();
}

// Now check if the user's account numbers match the resource accountNumber, and
// also check the operation type, in case you want to vary based on create, view etc.
if (user.AuthorisedAccounts.Contains(resource.AccountId &&
requirement.Name == "View")
{
context.Succeed(requirement);
}
}

之后,在配置服务中的 DI 容器中注册您的策略;

public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();

services.AddAuthorization();

services.AddSingleton<IAuthorizationHandler,
AccountAuthorizationHandler>();
}

在您的 Controller 中注入(inject) AuthorizationService;

public class AccountController : Controller
{
IAuthorizationService _authorizationService;

public AccountController(IAuthorizationService authorizationService)
{
_authorizationService = authorizationService;
}
}

然后,在您的 Controller 中,在您加载帐户资源之后,您可以执行如下操作

public async Task<IActionResult> View(int accountId)
{
Account account = accountManager.Find(accountId);

if (account == null)
{
return new HttpNotFoundResult();
}

if (await _authorizationService.AuthorizeAsync(User, account, Operations.Read))
{
return View(account);
}
else
{
return new ChallengeResult();
}
}

关于c# - Identity 3 MVC 6 中的授权策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34293133/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com