问题
i have a problem i am building a site in asp.net mvc3 ,
in which i made my several controllers all of them are authorized
because i don't want that unauthorized user access that controller.
Let suppose i have a controller and 2 methods in it as following
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
namespace Com.health.Controllers
{
[Authorize]
public class MyfirstController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult seeyourDetails(int id)
{
return View();
}
}
}
now let suppose our method seeyourDetails tells any user his account information , but the problem is this that when user access this method at that time the URL is http://www.exampple.com/Myfirst/seeyourDetails/10 , where 10 is current user id by which i show him his details , but what should i do, if a persons login into my site and he access this URL and manually add 10 or any other number in URL my controller will show him all details regarding that user .
Note : I can do this in one place or two places but i need some solution that i implement in one place and it effects in my whole application . Thanks
回答1:
The only way I see is to check if the user id from query string is the same with the user id logged in. This is more of a patching things solution, the proper way is to change how the app works. Something like this, you still need to modify it a bit.
[AttributeUsage(AttributeTargets.Method|AttributeTargets.Class, AllowMultiple = false)]
public class MyAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
var ctx = filterContext.HttpContext;
var name = ctx.User.Identity.Name;
//get user id from db where username= name
var urlId = Int32.Parse(ctx.Request.Params["id"]);
if (userId!=urlId)
filterContext.Result = new HttpUnauthorizedResult();
}
}
回答2:
first the Authorize is very powerful and granular. You can use it at class level and at method level. You can also set which Roles have access to to it.
[Authorize]
public class MyFirstController : Controller
You're basically saying any user that has been authenticated, you can also use
[Authorize(Roles="Administrator")]
public class MyFirstController : Controller
Giving you a finer control. Here you're saying only user in the Administrator role are allowed to access these contents.
Now for the SeeYourDetails Action you shouldn't really be be sending the user ID. If the user is currently logged in, you can access his/her details like this:
var current = Membership.GetUser();
So you're all code would look something like this:
using System;
using System.Web;
using System.Web.Mvc;
using System.Web.Security;
using System.Collections.Generic;
namespace TestArea.Controllers
{
[Authorize]
public class MyFirstController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult SeeYourDetails()
{
//get the currently logged in user
var current = Membership.GetUser();
//you can always do something else here
return View(current);
}
}
} More info on the Authorize attribute http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
last, but not least. If you gonna program in C# you should respect it's notation :-) Hope this helps
回答3:
you dont have to get the user id from querystring parameter. You have to set to Session of authenticated user infos. And get it from session when you need to know the authenticated user
回答4:
What you are trying to say is Data Authorization, the user can see only his details after logged into the site.
You can create a custom Authorize filter as said by @MikeSW in the authorization filter check if the logged-in user's id is same as the id passed in the query string and for that you have to store the user id in session.
Since it is a filter you can apply at action level or controller level or global level too.
来源:https://stackoverflow.com/questions/10241022/how-to-create-custom-authorize-filter-in-asp-net-mvc3