如何修改授权属性，以允许一组用户角色的MVC 3

Question

在我MVC3 WEP的应用程序，我已经扩展了授权属性类似下面

public class MyAuthorizeAttribute : AuthorizeAttribute 
{ 
    protected override bool AuthorizeCore(HttpContextBase httpContext) 
    { 
     if (Authenticate.IsAuthenticated() && httpContext.User.Identity.IsAuthenticated) 
     { 
      var authCookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName]; 
      if (authCookie != null) 
      { 
       var ticket = FormsAuthentication.Decrypt(authCookie.Value); 
       var roles = ticket.UserData.Split('|'); 
       var identity = new GenericIdentity(ticket.Name); 
       httpContext.User = new GenericPrincipal(identity, roles); 
      } 
     } 
     return base.AuthorizeCore(httpContext); 
    } 

    public override void OnAuthorization(AuthorizationContext filterContext) 
    { 

     if (!Authenticate.IsAuthenticated()) 
      HandleUnauthorizedRequest(filterContext); 


     base.OnAuthorization(filterContext); 

    } 

在我的动作，我用它像

[MyAuthorize(Roles = "Member,Inspector,SalesRep,Admin,SuperAdmin")] 
    public ActionResult OrderUpload() 

现在，我必须在每个操作中指定每个用户角色。我想这样做是 指定类似下面

[MyAuthorize(Roles = "Member")] 
    public ActionResult OrderUpload() 

，这应该允许任何用户角色是等于或高于“会员”。因此应该允许“SalesRep”，不允许“Member”下的“Visitor”。

所有用户角色都用枚举越来越多

public enum UserAccountType 
{ 
    Visitor = 5, 
    Member = 10, 
    Inspector = 15, 
    SalesRep = 20, 
    Admin = 25, 
    SuperAdmin = 30 
} 

如何修改MyAuthorizeAttribute，使这项工作？

感谢

Answer 1

这是我工作的代码

public class MyAuthorizeAttribute : AuthorizeAttribute 
{ 
    protected override bool AuthorizeCore(HttpContextBase httpContext) 
    { 
     if (Authenticate.IsAuthenticated() && httpContext.User.Identity.IsAuthenticated) 
     { 
      var authCookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName]; 
      string[] roles = null; 

      if (authCookie != null) 
      { 
       var ticket = FormsAuthentication.Decrypt(authCookie.Value); 
       roles = ticket.UserData.Split('|'); 
       var identity = new GenericIdentity(ticket.Name); 
       httpContext.User = new GenericPrincipal(identity, roles); 
      } 

      if (Roles == string.Empty) 
       return true; 

      //Assuming Roles given in the MyAuthorize attribute will only have 1 UserAccountType - if more than one, no errors thrown but will always return false 
      else if ((UserAccountType)Enum.Parse(typeof(UserAccountType), roles[0]) >= (UserAccountType)Enum.Parse(typeof(UserAccountType), Roles)) 
       return true; 
      else 
       return false; 
     } 
     else 
      return false; 

     //return base.AuthorizeCore(httpContext); 
    } 

    public override void OnAuthorization(AuthorizationContext filterContext) 
    { 
     if (!Authenticate.IsAuthenticated()) 
      HandleUnauthorizedRequest(filterContext); 

     base.OnAuthorization(filterContext); 
    } 
} 

Answer 2

我不使用AuthorizeAttribute但ActionFilter（这只是我，这就是我如何学会了），但我会做的是增加对AuthorizeAttribute一个属性当属性被前引发了被更新行动。

public class MyAuthorizeAttribute : AuthorizeAttribute 
{ 
    private string Role = ""; 

    public MyAuthorizeAttribute(string role){ 
     this.Role = role; 
    } 

    protected override bool AuthorizeCore(HttpContextBase httpContext) 
    { 
      : 
      : 
      : 
      // now do a check if the Role is authorized or not using your enum. 
      // return error page if not 
      if(RoleisAuthorized) 
      return; 
      else 
      // error page 

    } 

    public override void OnAuthorization(AuthorizationContext filterContext) 
    { 
      : 
      : 
      : 
    } 
} 

现在你得到这个角色后，去从枚举得到它，如果比较的作用被允许访问该网页或没有，如果没有返回错误页面。所以，因为我不熟悉OnAuthorization，我会把这个进程放在AuthorizeCore中。