I have a MVC 3.0 application which 3 controllers and action methods in it. The application is login based. And once the user is authenticated he is landed on the homepage where he sees the 3 menu links which are mapped to the action methods of the three controller. The user can click the links or enter the url in the address bar and can navigate to the respective page.
我有一个MVC 3.0应用程序,其中包含3个控制器和操作方法。该应用程序是基于登录的。一旦用户通过身份验证,他就会登陆主页,在主页上他会看到3个菜单链接,这些链接被映射到三个控制器的操作方法。用户可以单击链接或在地址栏中输入URL,并可以导航到相应的页面。
But now the links have become role based like,
但现在链接已成为基于角色的,
If IsProductPageAllowed=true then only user can see the ProductPage.
如果IsProductPageAllowed = true,那么只有用户才能看到ProductPage。
If IsMediaPageAllowed=true then only user can see the MediaPage.
如果IsMediaPageAllowed = true,那么只有用户才能看到MediaPage。
I have handle the visiblity of the links easily in the HomePage view depending on the property valuetrue/false.
我根据属性valuetrue / false在HomePage视图中轻松处理链接的可见性。
But was looking for a correct way to block the user of accessing the ProductPage if he enters the url in address bar directly and if the value is false. I can do this easily on each action method of the controller by checking the true false property and accordingly redirect to homePage if the value is false.
但正在寻找一种正确的方法来阻止用户访问ProductPage,如果他直接输入地址栏中的URL并且值为false。我可以通过检查true false属性轻松地在控制器的每个操作方法上执行此操作,并在值为false时重定向到homePage。
I was thinking of some better way to do this, like in Controller itself.
我正在考虑一些更好的方法,比如在Controller本身。
Thank you,
谢谢,
M.
M.
2 个解决方案
#1
1
Define a Custom Security Filter that will intercept all the requests and authorize them before processing. If authorization is not successful the user will be redirected to an error page for Insufficient Permissions.
定义一个自定义安全筛选器,它将拦截所有请求并在处理之前对其进行授权。如果授权不成功,则用户将被重定向到“权限不足”的错误页面。
The permissions will be in terms of whether a specific role can call a specific Action of a Controller or not. There will also be a basic authorization that will redirect a user to a login page if he is not logged in.
权限将取决于特定角色是否可以调用控制器的特定操作。如果用户未登录,还会有一个基本授权将用户重定向到登录页面。
#2
1
If you are using SimpleMembership, why don't you assign Roles to each membership. That way you can do this to restrict access to any action or even an entire controller.
如果您使用SimpleMembership,为什么不为每个成员分配角色。这样,您可以执行此操作来限制对任何操作甚至整个控制器的访问。
[Authorize(Roles="Admin")]
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
With code above, only the admin user will gain access to that action. if you want to restrict an entire controller, just place [Authorize(Roles="Admin")] on top of the controller name.
使用上面的代码,只有管理员用户才能访问该操作。如果要限制整个控制器,只需将[Authorize(Roles =“Admin”)]置于控制器名称之上。
If you need help on how to seed Roles into your database, read Kevin's Blog here
如果您需要有关如何将角色植入数据库的帮助,请阅读Kevin的博客
#1
1
Define a Custom Security Filter that will intercept all the requests and authorize them before processing. If authorization is not successful the user will be redirected to an error page for Insufficient Permissions.
定义一个自定义安全筛选器,它将拦截所有请求并在处理之前对其进行授权。如果授权不成功,则用户将被重定向到“权限不足”的错误页面。
The permissions will be in terms of whether a specific role can call a specific Action of a Controller or not. There will also be a basic authorization that will redirect a user to a login page if he is not logged in.
权限将取决于特定角色是否可以调用控制器的特定操作。如果用户未登录,还会有一个基本授权将用户重定向到登录页面。
#2
1
If you are using SimpleMembership, why don't you assign Roles to each membership. That way you can do this to restrict access to any action or even an entire controller.
如果您使用SimpleMembership,为什么不为每个成员分配角色。这样,您可以执行此操作来限制对任何操作甚至整个控制器的访问。
[Authorize(Roles="Admin")]
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
With code above, only the admin user will gain access to that action. if you want to restrict an entire controller, just place [Authorize(Roles="Admin")] on top of the controller name.
使用上面的代码,只有管理员用户才能访问该操作。如果要限制整个控制器,只需将[Authorize(Roles =“Admin”)]置于控制器名称之上。
If you need help on how to seed Roles into your database, read Kevin's Blog here
如果您需要有关如何将角色植入数据库的帮助,请阅读Kevin的博客