i'm starting a project using ASP.NET MVC and i can't figure out what's the best way of handling authorization and roles based on a team_id. Every blog entry or forum post i read always talk about defining a global role("admin", "helpdesk", "editor", etc...) using asp.net membership or creating a CustomAuthorize filter. The problem in my application is that there are no global roles. A user is going to be manager of team1, but cannot edit or view team2 details. So the authorization details are: - A user can view his team planning and his team mates availability, but cannot see other teams - team manager can edit team details, but cannot edit other team's details - A team can have 1 or many managers - A user can be part of 1 or many teams
我正在使用ASP启动一个项目。NET MVC和我都不知道基于team_id处理授权和角色的最佳方式是什么。我读过的每一篇博客文章或论坛帖子都在讨论如何使用asp.net成员身份定义一个全局角色(“admin”、“helpdesk”、“编辑器”等等),或者创建一个定制的过滤器。我的应用程序的问题是没有全局角色。用户将成为team1的管理者,但是不能编辑或查看team2的细节。所以授权细节是:用户可以查看他的团队计划和队友的可用性,但不能看到其他球队——团队经理可以编辑团队细节,但不能编辑其他团队的细节——一个团队可以有1或许多管理者——用户可以1或许多团队的一部分
ATM, i have 3 tables to handle this relation.
ATM,我有三个表来处理这个关系。
teams --> teams_users <-- users
team_id #team_id user_id
#user_id
isManager?
As last resort, i'm planing on storing user's current team_id and isManager status in session vars when he logs in, and create a CustomAuthorize filter that will check if session team_id is the same as model.team_id. Let me know if there is another way of doing it. Thank you
最后,我打算在用户登录时将用户当前的team_id和isManager状态存储在会话vars中,并创建一个CustomAuthorize过滤器,检查会话team_id是否与model.team_id相同。如果有别的办法,请告诉我。谢谢你!
4 个解决方案
#1
1
Finally, i ended up creating a custom route:
最后,我创建了一个自定义路径:
/{team_id}/controller/action/{id}
{team_id} is set once the user logs in, then a custom filter verifies that the user belongs to team on top of each controller. Whenever he changes team, the {team_id} is updated. In addition, there is a "isManager" filter to secure specific manager action that will check if the user is manager of the current team. Thank you guys for your answers
用户登录后,将设置{team_id},然后自定义过滤器验证用户在每个控制器上属于team。每当他更改团队时,都更新{team_id}。此外,还有一个“isManager”过滤器来保护特定的manager操作,该操作将检查用户是否是当前团队的经理。谢谢你们的回答
#2
1
I think your solution looks good. If you rely much on ASP.NET roles to do the initial lifting for you, you'll have this problem a lot:
我认为你的解决方案看起来不错。如果你非常依赖ASP的话。净角色为你做最初的提升,你会有很多这个问题:
User 1 is a manager for team 1 and a regular user for team 2. ViewSchedule is readonly for users and editable for managers. Code on ViewSchedule:
User 1是team 1的管理者,team 2的常规用户。ViewSchedule仅供用户阅读,可为管理人员编辑。在ViewSchedule代码:
if (User.IsInRole("manager")) {
if (isTeamManager(userid)) {}
}
else {}
bool isTeamManager(int userid) {
return db.IsTeamManager(userid) {
}
If you do this, then when the user is using team 2, he'll miss that block altogether. He is a manager as far as ASP.NET roles are concerned but isn't one for that team. No problem, obviously we can combine the conditionals like this:
如果您这样做,那么当用户使用team 2时,他将会完全错过这个块。他是ASP的经理。NET角色是值得关注的,但不是这个团队的角色。没问题,显然我们可以把这些条件结合起来
if (User.IsInRole("manager") && isTeamManager(userid)) { }
else {}
Oh yeah, and if we're calling isTeamManager() then we're already getting the only info that User.IsInRole("manager") provides so we don't even need that:
哦,是的,如果我们调用isTeamManager(),那么我们已经得到了User.IsInRole(“manager”)提供的唯一信息,所以我们甚至不需要:
if (isTeamManager(userid)) { }
else {}
So now we're not even using roles in our code. I'd just stick with your original idea.
现在我们甚至不用代码中的角色。我还是坚持你原来的想法。
#3
1
I would then have 2 roles - Manager and User Then I would tie in the database just like you specified.
然后我将有两个角色—管理器和用户,然后我将像您指定的那样绑定数据库。
The roles would control what actions each user can perform (user can view info, a manager can edit/create info), then in each action I would do a quick check can the current user. Do this action on the team that would be required (i.e. does the user have access to the team).
角色将控制每个用户可以执行的操作(用户可以查看信息,管理员可以编辑/创建信息),然后在每个操作中,我将快速检查当前用户。在需要的团队中执行此操作(即用户是否有权访问团队)。
#4
0
I have developed two custom attributes to handle cases like this: RoleOrOwnerAuthorization and RoleOrOwnerAssociatedAuthorization. RoleOrOwner looks to see if the current user of the system is the same as the user id of the data in question. That is, you are authorized to view your own data. RoleOrOwnerAssociated checks to see if there is a row in a join table relating the data to the current user. For example, I may have Groups, GroupLeaders, and Users, where GroupLeaders is a join table linking Groups to Users. To view a Group's data you would need to either be in the ViewGroups role or be a group leader (as evidenced by a row in GroupLeaders with the group's id and your id). I think that this works very well.
我开发了两个自定义属性来处理这样的情况:RoleOrOwnerAuthorization和RoleOrOwnerAssociatedAuthorization。RoleOrOwner查看系统的当前用户是否与相关数据的用户id相同。也就是说,您被授权查看自己的数据。RoleOrOwnerAssociated检查连接表中是否存在与当前用户关联的行。例如,我可能有组、组领导者和用户,其中的组领导者是连接组到用户的连接表。要查看一个组的数据,您需要要么是视图组角色,要么是组组长(可以从带有组id和id的组组长中看到)。我认为这很有效。
#1
1
Finally, i ended up creating a custom route:
最后,我创建了一个自定义路径:
/{team_id}/controller/action/{id}
{team_id} is set once the user logs in, then a custom filter verifies that the user belongs to team on top of each controller. Whenever he changes team, the {team_id} is updated. In addition, there is a "isManager" filter to secure specific manager action that will check if the user is manager of the current team. Thank you guys for your answers
用户登录后,将设置{team_id},然后自定义过滤器验证用户在每个控制器上属于team。每当他更改团队时,都更新{team_id}。此外,还有一个“isManager”过滤器来保护特定的manager操作,该操作将检查用户是否是当前团队的经理。谢谢你们的回答
#2
1
I think your solution looks good. If you rely much on ASP.NET roles to do the initial lifting for you, you'll have this problem a lot:
我认为你的解决方案看起来不错。如果你非常依赖ASP的话。净角色为你做最初的提升,你会有很多这个问题:
User 1 is a manager for team 1 and a regular user for team 2. ViewSchedule is readonly for users and editable for managers. Code on ViewSchedule:
User 1是team 1的管理者,team 2的常规用户。ViewSchedule仅供用户阅读,可为管理人员编辑。在ViewSchedule代码:
if (User.IsInRole("manager")) {
if (isTeamManager(userid)) {}
}
else {}
bool isTeamManager(int userid) {
return db.IsTeamManager(userid) {
}
If you do this, then when the user is using team 2, he'll miss that block altogether. He is a manager as far as ASP.NET roles are concerned but isn't one for that team. No problem, obviously we can combine the conditionals like this:
如果您这样做,那么当用户使用team 2时,他将会完全错过这个块。他是ASP的经理。NET角色是值得关注的,但不是这个团队的角色。没问题,显然我们可以把这些条件结合起来
if (User.IsInRole("manager") && isTeamManager(userid)) { }
else {}
Oh yeah, and if we're calling isTeamManager() then we're already getting the only info that User.IsInRole("manager") provides so we don't even need that:
哦,是的,如果我们调用isTeamManager(),那么我们已经得到了User.IsInRole(“manager”)提供的唯一信息,所以我们甚至不需要:
if (isTeamManager(userid)) { }
else {}
So now we're not even using roles in our code. I'd just stick with your original idea.
现在我们甚至不用代码中的角色。我还是坚持你原来的想法。
#3
1
I would then have 2 roles - Manager and User Then I would tie in the database just like you specified.
然后我将有两个角色—管理器和用户,然后我将像您指定的那样绑定数据库。
The roles would control what actions each user can perform (user can view info, a manager can edit/create info), then in each action I would do a quick check can the current user. Do this action on the team that would be required (i.e. does the user have access to the team).
角色将控制每个用户可以执行的操作(用户可以查看信息,管理员可以编辑/创建信息),然后在每个操作中,我将快速检查当前用户。在需要的团队中执行此操作(即用户是否有权访问团队)。
#4
0
I have developed two custom attributes to handle cases like this: RoleOrOwnerAuthorization and RoleOrOwnerAssociatedAuthorization. RoleOrOwner looks to see if the current user of the system is the same as the user id of the data in question. That is, you are authorized to view your own data. RoleOrOwnerAssociated checks to see if there is a row in a join table relating the data to the current user. For example, I may have Groups, GroupLeaders, and Users, where GroupLeaders is a join table linking Groups to Users. To view a Group's data you would need to either be in the ViewGroups role or be a group leader (as evidenced by a row in GroupLeaders with the group's id and your id). I think that this works very well.
我开发了两个自定义属性来处理这样的情况:RoleOrOwnerAuthorization和RoleOrOwnerAssociatedAuthorization。RoleOrOwner查看系统的当前用户是否与相关数据的用户id相同。也就是说,您被授权查看自己的数据。RoleOrOwnerAssociated检查连接表中是否存在与当前用户关联的行。例如,我可能有组、组领导者和用户,其中的组领导者是连接组到用户的连接表。要查看一个组的数据,您需要要么是视图组角色,要么是组组长(可以从带有组id和id的组组长中看到)。我认为这很有效。