Inheritance of Authorized Roles in controller clas

2019-05-26 00:07发布

问题:

I've created controller classes to assist with Role authorization.

I have a base class ControllersAuthorities, which is the highest level of authority. I have created the other classes to extend each base class.

[Authorize(Roles = "Owner")]
public abstract class ControllerAuthorities:Controller { }
[Authorize(Roles = "Admin")]
public abstract class AdminController:ControllerAuthorities { }

[Authorize(Roles = "Employee")]
public abstract class EmployeeController:AdminController { }
[Authorize(Roles = "Sales")]
public abstract class SalesController:EmployeeController { }

First question, will the Owner, Admin and Employee Roles have access to the SalesController?

When implementing these classes in my project controllers. If I leave the [Authorize] uncommented, will this override the inherited authority Role?

//[Authorize]
public class AccountController:ControllerAuthorities
{

回答1:

Looking at AttributeUsage attribute of Authorize attribute ;

[AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method, 
    Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter

Inherited= true means that subclasses of the class which decorated with this attribute can inherit this attribute.

AllowMultiple=true means that this attribute can be placed more than once on same entity.

With inherited attributes and allowed usage of same attribute your SalesController can be considered as

[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }

And you can test this at runtime with this code.

var a = typeof(SalesController).GetCustomAttributes(true).ToArray();

First question, will the Owner, Admin and Employee Roles have access to the SalesController? Inherited attributes are separated so they are applied independently.For one user to access SalesController , user must have all roles(owner ,admin ,employee and sales) not one of them.

See the difference between

[Authorize(Roles = "Sales")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Owner")]
public abstract class SalesController:EmployeeController { }

and

[Authorize(Roles = "Owner,Admin,Employee,Sales")]
public abstract class SalesController:EmployeeController { }

Second question: If you leave [Authorize] uncommented with same logic AccountController is like

[Authorize(Roles = "Owner")]
[Authorize]
public class AccountController:ControllerAuthorities{}

So it does not override inherited authority just creates multiple usage of authorize attribute because multiple usage is allowed for Authorize attribute. If AllowMultiple were false in Authorize attribute definiton then derived class could override the attribute in base class.



回答2:

will the Owner, Admin and Employee Roles have access to the SalesController?

No, They can't access to SalesController. Inheritance makes your code like this:

[Authorize(Roles = "Owner")]
public abstract class ControllerAuthorities:Controller { }
[Authorize(Roles = "Admin", "Owner")]
public abstract class AdminController:Controller { }

[Authorize(Roles = "Employee", "Admin", "Owner")]
public abstract class EmployeeController:Controller { }
[Authorize(Roles = "Sales", "Employee", "Admin", "Owner")]
public abstract class SalesController:Controller { }

And since SalesController requires additional role, named Sales won't be accessible. Key to Access SalesController: The user should be in All the mentioned roles.

If I leave the [Authorize] uncommented, will this override the inherited authority Role?

Yes, since AccountController derived from ControllerAuthorities which requires Owner role.

Note that the controllers in MVC are just classes with some additional features to handle requests. There's no difference with class concepts.

Tip : Look at the followings:

  • [Authorize(Roles = "Sales, Employee, Admin, Owner")] allows the user which have one of the roles. In another words, This acts like OR (||) operation.
  • [Authorize(Roles = "Sales", "Employee", "Admin", "Owner")] allows the user which have All of the roles. In another words, This acts like And (&) operation.

The last one is like your question. That's equal to the following too:

[Authorize(Roles = "Owner")]
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Employee")]
[Authorize(Roles = "Sales")]

For more clarification than this! see How to authorize a set of controllers without placing the annotation on each one?