MVC001之权限校验

参考网址:http://bbs.csdn.net/topics/370002739

http://blog.csdn.net/chenloveyue/article/details/7095522

 

http://zhidao.baidu.com/link?url=PJc1jFn52apSxE6QqCZwcq92z7XFpXH91Ud5U0ZuNKR3YO1djilKx3UM-tX1wcwk4oNYOhMGhX6B2YRABOlqMK(如何不让ActionResult不继续执行)

 

需求:想对每个事件进行权限控制,如:某个用户访问UserController的GetList Action时,需要先校验该用户是否有权限.

问题:

1. 不想每个Action中都去写权限校验程序( protected override void OnAuthorization(AuthorizationContext filterContext))
2. Controller如何获取当前用户(session)
3. Controller如何获取用户访问哪个Controller及Action(filterContext.HttpContext.Request.Path)

先创建一个类MyPower,重写OnAuthorization

代码:

 

namespace MvcStudyStep.Controllers
{

    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
    public class MyPower : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            if (!new PowerData().CheckUserPower(filterContext.HttpContext.Session["UserName"].ToString(), filterContext.HttpContext.Request.Path.Trim()))
            {
                filterContext.Result = new ContentResult { Content = "没有权限" };
                
                MyMessage message = new MyMessage();
                message.MyTitle = "没有权限";
                message.MyDesc = filterContext.HttpContext.Session["UserName"].ToString()+":"+filterContext.HttpContext.Request.Path.Trim()  ;
                filterContext.HttpContext.Session["MessageObject"] = message;
                filterContext.HttpContext.Response.Redirect("/Message/detail");
            }
            else
            {
                base.OnAuthorization(filterContext);
            }
        }

       
    }
}

filterContext.Result这段必须加上,否则后面的ActionResult还是会执行.
如:你删除记录时,系统会提示没有权限,但删除操作仍执行了.

问题:

1:ActionResult仍执行的问题(已解决)

2:定义一个通用信息页面(接受信息对象并显示在页面),本想在OnAuthorization中把信息对象构建好后直接传给View,不知到如何写,就用Session来传,感觉不太好.