User roles and authorization

2019-09-05 07:00发布

站内问答 / 前端开发
1767 3 5

So I want to create a login page where when you enter your login credentials as a admin you get acces. If you are not a admin you get redirected back to the login page. In my database I have a field of boolean type:

isAdmin <--datatype(byte")

So how can you the best way do this?! I would like to do this in the repository pattern way as it gets easier to unit test it then.

I have googled this a lot and starting to get a bit confused on the matter. How many classes, models etc should I have?! I'm guessing one controller would do. Anyone got any good ideas?! I've read some on the DCI pattern about user roles but as it basically "only" to check that boolean in the database maybe it is overkill? Thankful for all feedback.

3条回答
放我归山
2楼-- · 2019-09-05 07:22

Is your isAdmin column a bit or a byte? It should probably be a bit. You could just create a query that checks the credentials and the IsAdmin column. If a row is returned then the login was successful.

查看更多
0人赞 添加讨论(0) 举报
Explosion°爆炸
3楼-- · 2019-09-05 07:31

You should create a custom Membership Provider and check the user isAdmin as part of ValidateUser.

Alternatively if other users are allowed in, use a custom role provider.

The following link is a good place to start

http://theintegrity.co.uk/2010/11/asp-net-mvc-2-custom-membership-provider-tutorial-part-1/

查看更多
0人赞 添加讨论(0) 举报
冷血范
4楼-- · 2019-09-05 07:41

If I understand correctly, I had a similar issue. It seems from your question that you are not using the default membership provider (at least as is). I didn't either. So what I did was create a new authorization attribute. In your case it could look something like this:

public class AdminOnlyAttribute : AuthorizeAttribute {
    IUserRepository _UserRepository;

    public SimpleUser SimpleUser { get; set; }

    public AdminOnlyAttribute() {
        _UserRepository = new SqlUserRepository(new DbContext());
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext) {
        bool baseAuthorized = base.AuthorizeCore(httpContext);
        if (!baseAuthorized) {
            return false;
        } 

        //Here you use your repository to check if a user is an admin or not
        bool isAdmin = _UserRepository.IsAdmin(int.Parse(httpContext.User.Identity.Name));

        if (!isAdmin) {
            return false;
        }

        return true;
    }
}

The repository method IsAdmin could be as simple as a query to check the boolean corresponding to the supplied user's ID. Something like this (please double check if SingleOrDefault() is necessary or not):

public bool IsAdmin(int userID) {
    bool isAdmin = (from user in db.Users
                    where user.ID == userID
                    select user.isAdmin).SingleOrDefault();
    return isAdmin;
}

And then use this in the action you want like so:

[AdminOnly]
public ActionResult Index(){
    //Code here...
}

When this returns false, your ActionResult will be an HttpUnauthorizedResult which in theory should redirect to the login page.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)