我有两个表格,一个是带有管理者的作业,当一个作业ID被传递给视图'Detail'时,该作业的详细信息是可访问的。MVC2 C#根据ID限制访问视图
Job_id Job_Title Manager_id
23 Chimney Sweep 65
24 Rat Catcher 84
Managers Email
65 [email protected]
66 [email protected]
我想限制访问基于该MANAGER_EMAIL的观点 - 如果我们在http://jobsite/jobs/Detail/23那么只有亚瑟可以访问视图,例如..将使用AD挑选出用户的电子邮件..
任何指针将不胜感激!
你可以写一个自定义的模型绑定:
public class JobModelBinder : DefaultModelBinder
{
public override object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
// fetch the job id from the request
var jobId = controllerContext.RouteData.Values["id"];
// fetch the currently connected username
string user = controllerContext.HttpContext.User.Identity.Name;
// Remark: You might need an additional step here
// to query AD and fetch the email
// Given the job id and the currently connected user, try
// to fetch the corresponding job
Job job = FetchJob(jobId, user);
if (job == null)
{
// We didn't find any job that corresponds to
// the currently connected user
// => we throw
throw new HttpException(403, "Forbidden");
}
return job;
}
private Job FetchJob(int jobId, string user)
{
throw new NotImplementedException();
}
}
,然后让你的控制器:
public class JobsController : Controller
{
[Authorize]
public ActionResult Show([ModelBinder(typeof(JobModelBinder))]Job job)
{
return View(job);
}
}
定制模型绑定也可以在Application_Start注册:
protected void Application_Start()
{
...
ModelBinders.Binders.Add(typeof(Job), new JobModelBinder());
}
这将简化您的控制器操作:
public class JobsController : Controller
{
[Authorize]
public ActionResult Show(Job job)
{
// If we get to that point it means that the
// currently connected user has the necessary
// permission to consult this view. The custom
// model binder would have populated the Job model
// and we can safely pass it to the view for display
return View(job);
}
}
此方法的另一个优点是可以将依赖关系注入到自定义模型联编程序的构造函数中。当尝试与AD和数据库进行通信时,可能需要这些依赖关系。
谢谢,看起来像一个很好的方法,去给它一去! :) – beebul