自定义用户级别和权限MVC

Question

我想用下面的方法每当GET或POST被调用来创建或编辑文章页面：

' userId = ID or username of the user logged in 
' companyId = ID or name of the company for which the current blog is assigned 
' blogId = ID or name of the blog for which the article is being written 
' returnSuccessView = the view that will be returned if the user has access 
' returnFailView = the view that will be returned if the user does not have access 

return View(CheckUserAccess(userId, companyId, blogId, returnSuccessView, returnFailView)) 

能有人告诉我这个功能将是什么样子？我的结构是：

公司 - >博客 - >文章 - >评论

我想创建权限，只属于某公司，并属于某个博客并具有一定权限的用户可以执行所请求的任务。

例如，我的用户模型会有一个用户可以关联的公司的ICollection，并且他们可以有一个ICollection来关联他们可以关联的博客。他们也可以拥有权限的ICollection，如超级用户，文章作者，文章编辑，主持人等。

我将创建一个单独的权限模型，以便可以通过UI添加和删除它们。

函数应该检查请求的公司，博客和权限是否与用户关联的（在他们的ICollection中）相匹配。

什么是最好的方式去这样的事情？谢谢。

Answer 1

我建议您使用自定义[Authorize]属性来处理此问题。让我们举个例子：

public class MyAuthorizeAttribute : AuthorizeAttribute 
{ 
    protected override bool AuthorizeCore(HttpContextBase httpContext) 
    { 
     var authorized = base.AuthorizeCore(httpContext); 
     if (!authorized) 
     { 
      // The user is not even authenticated => we can't get much further 
      return false; 
     } 

     // At this stage we know that there's an authneticated user 
     // let's see who he is by fecthing his username 
     string username = httpContext.User.Identity.Name; 

     RouteData rd = httpContext.Request.RequestContext.RouteData; 

     // Now, let's read the companyId and blogId parameters that he sent 
     // into the request and ensure that he is not cheating on us 
     string companyId = rd.Values["companyId"] as string; 
     string blogId = rd.Values["blogId"] as string; 

     if (string.IsNullOrEmpty(companyId) || string.IsNullOrEmpty(blogId)) 
     { 
      // One of the required parameters were not supplied when the action was invoked 
      // => we can't get much further 
      return false; 
     } 

     return IsOwner(username, companyId, blogId); 
    } 

    private bool IsOwner(string username, string companyId, string blogId) 
    { 
     // TODO: you know what to do here: 
     // check with your data store or wherever you have stored this info 
     throw new NotImplementedException(); 
    } 
} 

现在，你可以装饰你的控制器/动作与此属性：

[MyAuthorize] 
public ActionResult Edit(string companyId, string blogId) 
{ 
    // if we got that far it means that the user is authorized to edit this blog post 
    // and we could allow him to see the edit view 
    EditViewModel model = ... 
    return View(model); 
} 

当然，以确保用户是不是想你骗POST操作你也可以用这个属性来装饰它：

[MyAuthorize] 
[HttpPost] 
public ActionResult Edit(EditViewModel model) 
{ 
    // if we got that far it means that the user is authorized to edit this blog post 
    // and we could go ahead and perform the necessary update 
    .... 
}