我有一个操作,我只想限制为“管理员”角色。我是这样做的:
[Authorize(Roles = "Admin")]
public ActionResult Edit(int id)
在手动进入 Controller/Edit/1 路径后,我被重定向到登录页面。好吧,这也许还不错,但我想显示 404 而不是它,并尝试坚持使用它的属性。这可能吗?
【问题讨论】:
标签: asp.net-mvc asp.net-mvc-3 error-handling authorization
这可能吗?
当然,您可以编写自定义授权属性:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new ViewResult
{
ViewName = "~/Views/Shared/401.cshtml"
};
}
}
然后使用它:
[MyAuthorize(Roles = "Admin")]
public ActionResult Edit(int id)
备注:如果用户未获得授权,您可能希望显示 401 或 403 页面,而不是 404,即未找到文件。
【讨论】:
HandleUnauthorizedRequest 方法与另一个答案中的 OnAuthorization 方法放在同一类中。继续努力,达林!
作为对@Daniel 对我对@Darin 回答的评论的回应,这是我的实现:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
string cookieName = FormsAuthentication.FormsCookieName;
if (!filterContext.HttpContext.User.Identity.IsAuthenticated ||
filterContext.HttpContext.Request.Cookies == null ||
filterContext.HttpContext.Request.Cookies[cookieName] == null
)
{
HandleUnauthorizedRequest(filterContext);
return;
}
var authCookie = filterContext.HttpContext.Request.Cookies[cookieName];
var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
string[] roles = authTicket.UserData.Split(',');
var userIdentity = new GenericIdentity(authTicket.Name);
var userPrincipal = new GenericPrincipal(userIdentity, roles);
filterContext.HttpContext.User = userPrincipal;
base.OnAuthorization(filterContext);
}
// Redirects unauthorized users to a "401 Unauthorized" page
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new ViewResult
{
ViewName = "~/Views/Shared/Error/401.cshtml"
};
}
}
【讨论】: