How is everyone else performing fine grained access control in an MVC app? i.e. a user may be related to multiple objects and have different access requirements to each object. Can this be achieved using asp.net identity claims / roles? or do I have to role out my own?
其他人如何在MVC应用程序中执行细粒度访问控制?即,用户可能与多个对象相关并且对每个对象具有不同的访问要求。这可以使用asp.net身份声明/角色来实现吗?还是我必须自己扮演角色?
Is there any design pattern I can follow if I need to roll out my own?
如果我需要推出自己的设计模式,我可以遵循吗?
1 个解决方案
#1
0
No doubt there are plenty of ways to do this, but asp.net-mvc leads itself to extensibility of the AuthorizeAttribute, eg:
毫无疑问,有很多方法可以做到这一点,但asp.net-mvc导致AuthorizeAttribute的可扩展性,例如:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public sealed class ActionPermissionAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
// Override OnAuthorization, not AuthorizeCore as AuthorizeCore will force user login prompt rather than inform the user of the issue.
var controller = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
var action = filterContext.ActionDescriptor.ActionName;
bool authorised = ... // Check permissions here
if (!authorised)
throw new UnauthorizedAccessException("You are not authorised to perform this action.");
base.OnAuthorization(filterContext);
}
}
this can be applied to the controller (or as base controller) so doesn't need to be on every single action.
这可以应用于控制器(或作为基本控制器),因此不需要在每个操作上。
The actual check permissions can be as simple or complicated as you want - eg store controller + action + active directory group in a database will allow the permissions to be changed dynamically.
实际的检查权限可以是您想要的简单或复杂 - 例如,数据库中的存储控制器+操作+活动目录组将允许动态更改权限。
#1
0
No doubt there are plenty of ways to do this, but asp.net-mvc leads itself to extensibility of the AuthorizeAttribute, eg:
毫无疑问,有很多方法可以做到这一点,但asp.net-mvc导致AuthorizeAttribute的可扩展性,例如:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public sealed class ActionPermissionAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
// Override OnAuthorization, not AuthorizeCore as AuthorizeCore will force user login prompt rather than inform the user of the issue.
var controller = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
var action = filterContext.ActionDescriptor.ActionName;
bool authorised = ... // Check permissions here
if (!authorised)
throw new UnauthorizedAccessException("You are not authorised to perform this action.");
base.OnAuthorization(filterContext);
}
}
this can be applied to the controller (or as base controller) so doesn't need to be on every single action.
这可以应用于控制器(或作为基本控制器),因此不需要在每个操作上。
The actual check permissions can be as simple or complicated as you want - eg store controller + action + active directory group in a database will allow the permissions to be changed dynamically.
实际的检查权限可以是您想要的简单或复杂 - 例如,数据库中的存储控制器+操作+活动目录组将允许动态更改权限。