这是我创建的一个属性,可用于指导未经授权的安全操作。它还允许您指定一个将被传递给安全控制器上的未授权操作的原因,然后您可以将该原因用于视图。
您可以创建任意数量的属性来自定义该属性以适合您的特定应用程序,只需确保将其添加到RouteValueDictionary。
[AttributeUsage(AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public sealed class ApplySecurityAttribute : ActionFilterAttribute
{
private readonly Permission _permission;
public ApplySecurityAttribute(Permission permission)
: this(permission, string.Empty) {}
public ApplySecurityAttribute(Permission permission, string reason)
{
_permission = permission
Reason = reason;
}
public string Reason { get; set; }
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (!PermissionsManager.HasPermission(_permission)) // Put security check here
{
var routeValueDictionary = new RouteValueDictionary
{
{ "controller", "Security" }, // Security Controller
{ "action", "Unauthorized" }, // Unauthorized Action
{ "reason", Reason } // Put the reason here
};
filterContext.Result = new RedirectToRouteResult(routeValueDictionary);
}
base.OnActionExecuting(filterContext);
}
}
这里是安全控制器
public class SecurityController : Controller
{
public ViewResult Unauthorized(string reason)
{
var vm = new UnauthorizedViewModel { Reason = reason };
return View(vm);
}
}
这里是你想确保
[ApplySecurity(Permission.CanNuke, Reason = "You are not authorized to nuke!")]
这里,控制器上的属性声明PermissionsManager怎么做的检查,以查看用户有权限
public static class PermissionsManager
{
public static bool HasPermission(EZTracPermission permission)
{
return HttpContext.Current.GetCurrentUser().Can(permission);
}
}
http://stackoverflow.com/questions/1315524/is-it-possible-to-override-the-default-behavior-of-authorize-in-asp-net-mvc – womp 2010-01-28 19:46:33