gpt4 book ai didi

asp.net-mvc - 基于 Controller / Action 授权属性的MVC UI修剪

转载 作者:行者123 更新时间:2023-12-04 06:08:36 31 4
gpt4 key购买 nike

我有一个带有 Authorize 的安全应用程序每个 Action 的属性。

[Authorize(Roles = "Role1,Role2")]
public ActionResult MyAction(int id)
{
return View();
}

在我的 UI 中,我有指向这些 Controller /操作的链接。我想为接受 Controller 和操作名称的链接创建一个自定义 HtmlHelper:
@Html.SecuredLink("Click Me", "MyAction", "MyController");

这将根据用户是否有权执行给定操作来确定是否呈现天气:
public static MvcHtmlString SecuredLink(this HtmlHelper helper, string text, string action, string controller)
{
var userId = Membership.GetUserId();

var userHasRightsToThisAction = IsActionAccessibleToUser(helper.ViewContext.RequestContext.HttpContext, controller, action); // <- How would this work?

if (userHasRightsToThisAction )
{
// Render Link
// ...
}
}

我一直无法找到一种方法来轻松测试授权状态代码中的操作。

最佳答案

好的找到了解决方案。在挖掘了我知道进行安全修整的 MvcSiteMap 之后,我发现了这篇关于它的文章:

http://blog.maartenballiauw.be/post/2008/08/29/Building-an-ASPNET-MVC-sitemap-provider-with-security-trimming.aspx

我使用了一些此代码,稍作修改,以创建给我所需结果的方法:

    /// <summary>
/// Determine if a controller/action is accessible for a user
/// </summary>
/// <param name="context">Current HttpContext</param>
/// <param name="controllerName">Target controller</param>
/// <param name="actionName">Target action</param>
/// <returns>True/false if the action is accessible</returns>
public static bool IsActionAccessibleToUser(HttpContextBase context, string controllerName, string actionName)
{
// Find current handler
MvcHandler handler = context.Handler as MvcHandler;

if (handler != null)
{
// try to figure out the controller class
IController controller = null;
try
{
controller = ControllerBuilder.Current.GetControllerFactory().CreateController(handler.RequestContext, controllerName);
}
catch (System.Web.HttpException e)
{
throw new Exception("The controller '" + controllerName + "Controller' was not found.", e);
}

// Find all AuthorizeAttributes on the controller class and action method
object[] controllerAttributes = controller.GetType().GetCustomAttributes(typeof(AuthorizeAttribute), true);
object[] actionAttributes = controller.GetType().GetMethod(actionName).GetCustomAttributes(typeof(AuthorizeAttribute), true);

// No attributes, then the action is open to all
if (controllerAttributes.Length == 0 && actionAttributes.Length == 0) return true;

// Find out current principal
IPrincipal principal = handler.RequestContext.HttpContext.User;

// Do we pass the roles for the controller?
string roles = "";
if (controllerAttributes.Length > 0)
{
AuthorizeAttribute attribute = controllerAttributes[0] as AuthorizeAttribute;
roles = attribute.Roles;

if (!PassRoleValidation(principal, roles)) return false;
}

// Do we pass the roles for the action?
if (actionAttributes.Length > 0)
{
AuthorizeAttribute attribute = actionAttributes[0] as AuthorizeAttribute;
roles = attribute.Roles;

if (!PassRoleValidation(principal, roles)) return false;
}

return true;
}

return false;
}

private static bool PassRoleValidation(IPrincipal principal, string roles)
{
// no roles, then all we need to be is authenticated
if (string.IsNullOrEmpty(roles) && principal.Identity.IsAuthenticated) return true;

string[] roleArray = roles.Split(',');

// if role contains "*", it's open to all
if (roleArray.Any(role => role == "*")) return true;

// Determine if the current user is allowed to access the current node
if (roleArray.Any(principal.IsInRole)) return true;

return false;
}

关于asp.net-mvc - 基于 Controller / Action 授权属性的MVC UI修剪,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/8051699/

31 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com