我想爲MVC的htmlHelper創建一個擴展方法。 其目的是基於控制器/操作上設置的AuthorizeAttribute來啓用或禁用ActionLink。 借用MVCSitemap
Maarten Balliauw創建的代碼,我想在決定如何呈現actionlink之前驗證用戶對控制器/操作的權限。 當我嘗試獲取MvcHandler時,我得到一個空值。 有沒有更好的方法來控制器/操作的屬性?Stuck創建一個「安全修剪」html.ActionLink擴展方法
下面是擴展方法的代碼:
public static class HtmlHelperExtensions
{
public static string SecurityTrimmedActionLink(this HtmlHelper htmlHelper, string linkText, string action, string controller)
{
//simplified for brevity
if (IsAccessibleToUser(action, controller))
{
return htmlHelper.ActionLink(linkText, action,controller);
}
else
{
return String.Format("<span>{0}</span>",linkText);
}
}
public static bool IsAccessibleToUser(string action, string controller)
{
HttpContext context = HttpContext.Current;
MvcHandler handler = context.Handler as MvcHandler;
IController verifyController =
ControllerBuilder
.Current
.GetControllerFactory()
.CreateController(handler.RequestContext, controller);
object[] controllerAttributes = verifyController.GetType().GetCustomAttributes(typeof(AuthorizeAttribute), true);
object[] actionAttributes = verifyController.GetType().GetMethod(action).GetCustomAttributes(typeof(AuthorizeAttribute), true);
if (controllerAttributes.Length == 0 && actionAttributes.Length == 0)
return true;
IPrincipal principal = handler.RequestContext.HttpContext.User;
string roles = "";
string users = "";
if (controllerAttributes.Length > 0)
{
AuthorizeAttribute attribute = controllerAttributes[0] as AuthorizeAttribute;
roles += attribute.Roles;
users += attribute.Users;
}
if (actionAttributes.Length > 0)
{
AuthorizeAttribute attribute = actionAttributes[0] as AuthorizeAttribute;
roles += attribute.Roles;
users += attribute.Users;
}
if (string.IsNullOrEmpty(roles) && string.IsNullOrEmpty(users) && principal.Identity.IsAuthenticated)
return true;
string[] roleArray = roles.Split(',');
string[] usersArray = users.Split(',');
foreach (string role in roleArray)
{
if (role != "*" && !principal.IsInRole(role)) return false;
}
foreach (string user in usersArray)
{
if (user != "*" && (principal.Identity.Name == "" || principal.Identity.Name != user)) return false;
}
return true;
}
}
的新版本,我試圖讓從AuthorizeAttribute角色來比較它們的用戶角色。我不確定這是怎麼做到的。 – 2008-09-23 15:02:57
問題是,一旦在AuthorizeAttribute中指定了角色,就不必再將它們添加到每個單獨的鏈接中。 – 2008-09-23 15:12:21