我是新的MVC 3用户,我试图通过SQL数据库进行管理。 首先,我有客户实体和管理员可以通过在客户实体中为布尔类型的管理域来定义。 我只想在产品页面访问管理员,而不是普通客户。 我想让[Authorize(Roles =“admin”)]而不是[Authorize]。 但是,我不知道如何在我的代码中真正实现管理角色。 然后在我的HomeController中,我编写了这段代码。MVC 3授权自定义角色
public class HomeController : Controller
{
[HttpPost]
public ActionResult Index(Customer model)
{
if (ModelState.IsValid)
{
//define user whether admin or customer
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["rentalDB"].ToString());
String find_admin_query = "SELECT admin FROM Customer WHERE userName = '" + model.userName + "' AND admin ='true'";
SqlCommand cmd = new SqlCommand(find_admin_query, conn);
conn.Open();
SqlDataReader sdr = cmd.ExecuteReader();
//it defines admin which is true or false
model.admin = sdr.HasRows;
conn.Close();
//if admin is logged in
if (model.admin == true) {
Roles.IsUserInRole(model.userName, "admin"); //Is it right?
if (DAL.UserIsVaild(model.userName, model.password))
{
FormsAuthentication.SetAuthCookie(model.userName, true);
return RedirectToAction("Index", "Product");
}
}
//if customer is logged in
if (model.admin == false) {
if (DAL.UserIsVaild(model.userName, model.password))
{
FormsAuthentication.SetAuthCookie(model.userName, true);
return RedirectToAction("Index", "Home");
}
}
ModelState.AddModelError("", "The user name or password is incorrect.");
}
// If we got this far, something failed, redisplay form
return View(model);
}
和DAL类是
public class DAL
{
static SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["rentalDB"].ToString());
public static bool UserIsVaild(string userName, string password)
{
bool authenticated = false;
string customer_query = string.Format("SELECT * FROM [Customer] WHERE userName = '{0}' AND password = '{1}'", userName, password);
SqlCommand cmd = new SqlCommand(customer_query, conn);
conn.Open();
SqlDataReader sdr = cmd.ExecuteReader();
authenticated = sdr.HasRows;
conn.Close();
return (authenticated);
}
}
最后,我想进行自定义[授权(角色= “管理员”)
[Authorize(Roles="admin")]
public class ProductController : Controller
{
public ViewResult Index()
{
var product = db.Product.Include(a => a.Category);
return View(product.ToList());
}
}
这是现在我的源代码。我是否需要制作'AuthorizeAttribute'类? 如果我必须这样做,我该怎么做呢?你能向我解释一下吗?我无法理解如何在我的情况下设置特定角色。 请帮我,我该怎么办。谢谢。
你的代码很容易打开sql注入:String find_admin_query =“SELECT admin FROM Customer WHERE userName ='”+ model.userName +“'AND admin ='true'”; 如果用户名是:';从用户删除; - – 2012-03-11 23:11:15