如何通过将 table 中存储的用户 ID 与 Asp.net MVC 5 中的当前用户 ID 进行比较来创建自定义授权属性?
How to create a Custom Authorize Attribute by comparing User Id stored in table with Current User Id in Asp.net MVC 5?
我需要根据用户 ID 控制对我的控制器的编辑方法的访问,即只有该用户可以访问创建该特定数据的编辑方法。
User Id 存储在 table EmpProfile UserID 列中,想要将当前登录的用户与存储的 UserID 进行比较,并在此基础上允许访问。
我的自定义授权属性代码是:
public class AuthorizeAuthorAttribute : AuthorizeAttribute
{
RecruitDB mydb = new RecruitDB(); // My Entity
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var isAuthorized = base.AuthorizeCore(httpContext);
if (!isAuthorized)
{
return false;
}
string CurrentUser = httpContext.User.Identity.GetUserId().ToString(); // Current User ID(Converted to string)
var userName = from m in mydb.EmpProfiles //Calling method to get UserID from EmpProfile.UserID Column
where m.UserID == CurrentUser
select m.UserID;
string my = userName.ToString(); //Converting to string
if (CurrentUser.Contains(my)) //Comparing
{
return true;
}
else
{
return false;
}
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
控制器代码:
[AuthorizeAuthor]
public ActionResult Edit(int? id)
{
}
但是通过应用授权,我总是被定向到登录页面。
同样当用户与作者相同时。
回复您的评论:
By adding [Authorize(User="SomeUser")] to my action only permits specific hard coded user to enter. But how can a user how created the data can only be Authorized. For it Current User ID and data creator user id should match.Much Like Sites User Dashboard can only be accessed by the user creating it. Does MVC provide such Authorization? Please Advice
您注意到 Authorize 属性与 .NET 中的所有属性一样,只能有常量参数,这一点是正确的。
为了灵活性,您不能在这种情况下使用属性,您必须实现自己的授权逻辑并从控制器操作中执行调用,如下所示:
public ActionResult Edit(Int32? id) {
// Repeat the below logic for each action you want access-control in, ensure it is also in your POST handlers too.
if( !this.IsAuthorized() ) return this.Http401();
}
protected boolean IsAuthorized() {
if( this.Request.User.Identity.Name == "someoneIDontLike" ) return false;
return true;
}
protected ActionResult Http401(String message) {
this.Response.StatusCode = 401;
// This requires you to create your own custom HTTP 401 "Unauthorized" view file and viewmodel
return this.View( new Http401ViewModel(message) );
}
我需要根据用户 ID 控制对我的控制器的编辑方法的访问,即只有该用户可以访问创建该特定数据的编辑方法。 User Id 存储在 table EmpProfile UserID 列中,想要将当前登录的用户与存储的 UserID 进行比较,并在此基础上允许访问。 我的自定义授权属性代码是:
public class AuthorizeAuthorAttribute : AuthorizeAttribute
{
RecruitDB mydb = new RecruitDB(); // My Entity
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var isAuthorized = base.AuthorizeCore(httpContext);
if (!isAuthorized)
{
return false;
}
string CurrentUser = httpContext.User.Identity.GetUserId().ToString(); // Current User ID(Converted to string)
var userName = from m in mydb.EmpProfiles //Calling method to get UserID from EmpProfile.UserID Column
where m.UserID == CurrentUser
select m.UserID;
string my = userName.ToString(); //Converting to string
if (CurrentUser.Contains(my)) //Comparing
{
return true;
}
else
{
return false;
}
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
控制器代码:
[AuthorizeAuthor]
public ActionResult Edit(int? id)
{
}
但是通过应用授权,我总是被定向到登录页面。 同样当用户与作者相同时。
回复您的评论:
By adding
[Authorize(User="SomeUser")]to my action only permits specific hard coded user to enter. But how can a user how created the data can only be Authorized. For it Current User ID and data creator user id should match.Much Like Sites User Dashboard can only be accessed by the user creating it. Does MVC provide such Authorization? Please Advice
您注意到 Authorize 属性与 .NET 中的所有属性一样,只能有常量参数,这一点是正确的。
为了灵活性,您不能在这种情况下使用属性,您必须实现自己的授权逻辑并从控制器操作中执行调用,如下所示:
public ActionResult Edit(Int32? id) {
// Repeat the below logic for each action you want access-control in, ensure it is also in your POST handlers too.
if( !this.IsAuthorized() ) return this.Http401();
}
protected boolean IsAuthorized() {
if( this.Request.User.Identity.Name == "someoneIDontLike" ) return false;
return true;
}
protected ActionResult Http401(String message) {
this.Response.StatusCode = 401;
// This requires you to create your own custom HTTP 401 "Unauthorized" view file and viewmodel
return this.View( new Http401ViewModel(message) );
}