在 .NET Core 1.0 MVC 的视图中使用授权策略的任何方法?
Any way to use Authorization Policies in a view in .NET Core 1.0 MVC?
我知道在控制器中,您可以毫无问题地编写 [Authorize("policyName")],但是有什么方法可以在视图中使用策略吗?我不想每次都使用 User.IsInRole(...) 我想授权一些 HTML.
编辑:
这是一些代码
Startup.cs -- 政策声明
services.AddAuthorization(options =>
{
options.AddPolicy("testPolicy", policy =>
{
policy.RequireAuthenticatedUser()
.RequireRole("RoleOne", "RoleTwo", "RoleThree")
.RequireClaim(ClaimTypes.Email);
});
});
管理员控制器
[Authorize("testPolicy")]
public class AdminController : Controller
{
public IActionResult Index()
{
return View();
}
}
导航栏HTML
<div class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li><a asp-controller="Home" asp-action="Index">Home</a></li>
<!-- I want to implement my policy here. -->
@if (User.IsInRole("..."))
{
<li><a asp-controller="Admin" asp-action="Index">Admin</a></li>
}
</ul>
@await Html.PartialAsync("_LoginPartial")
</div>
</div>
我发现这个 link 可能有用:https://docs.asp.net/en/latest/security/authorization/views.html
该页面的示例:
@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
In some cases the resource will be your view model, and you can call AuthorizeAsync in exactly the same way as you would check during resource based authorization;
@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new {id= Model.Id})">Edit</a></p>
}
我最终创建了一个标签助手来有条件地隐藏与之关联的元素。
[HtmlTargetElement(Attributes = "policy")]
public class PolicyTagHelper : TagHelper
{
private readonly IAuthorizationService _authService;
private readonly ClaimsPrincipal _principal;
public PolicyTagHelper(IAuthorizationService authService, IHttpContextAccessor httpContextAccessor)
{
_authService = authService;
_principal = httpContextAccessor.HttpContext.User;
}
public string Policy { get; set; }
public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
{
// if (!await _authService.AuthorizeAsync(_principal, Policy)) ASP.NET Core 1.x
if (!(await _authService.AuthorizeAsync(_principal, Policy)).Succeeded)
output.SuppressOutput();
}
}
用法
<li policy="testPolicy"><a asp-controller="Admin" asp-action="Index">Admin</a></li>
这是 ASP Core 中的重大改进之一,您可以将标识注入启动文件中的所有页面:
@if (User.IsInRole("Admin"))
{
<p>
<a asp-action="Create" asp-controller="MyController">Create New</a>
</p>
}
在Startup.cs中:
services.AddIdentity<ApplicationUser, IdentityRole>()
编辑:
好吧,我误读了 post,你已经知道了 :) - 如果有人可以使用它,我无论如何都会留下它。
我知道在控制器中,您可以毫无问题地编写 [Authorize("policyName")],但是有什么方法可以在视图中使用策略吗?我不想每次都使用 User.IsInRole(...) 我想授权一些 HTML.
编辑:
这是一些代码
Startup.cs -- 政策声明
services.AddAuthorization(options =>
{
options.AddPolicy("testPolicy", policy =>
{
policy.RequireAuthenticatedUser()
.RequireRole("RoleOne", "RoleTwo", "RoleThree")
.RequireClaim(ClaimTypes.Email);
});
});
管理员控制器
[Authorize("testPolicy")]
public class AdminController : Controller
{
public IActionResult Index()
{
return View();
}
}
导航栏HTML
<div class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li><a asp-controller="Home" asp-action="Index">Home</a></li>
<!-- I want to implement my policy here. -->
@if (User.IsInRole("..."))
{
<li><a asp-controller="Admin" asp-action="Index">Admin</a></li>
}
</ul>
@await Html.PartialAsync("_LoginPartial")
</div>
</div>
我发现这个 link 可能有用:https://docs.asp.net/en/latest/security/authorization/views.html
该页面的示例:
@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
In some cases the resource will be your view model, and you can call AuthorizeAsync in exactly the same way as you would check during resource based authorization;
@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new {id= Model.Id})">Edit</a></p>
}
我最终创建了一个标签助手来有条件地隐藏与之关联的元素。
[HtmlTargetElement(Attributes = "policy")]
public class PolicyTagHelper : TagHelper
{
private readonly IAuthorizationService _authService;
private readonly ClaimsPrincipal _principal;
public PolicyTagHelper(IAuthorizationService authService, IHttpContextAccessor httpContextAccessor)
{
_authService = authService;
_principal = httpContextAccessor.HttpContext.User;
}
public string Policy { get; set; }
public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
{
// if (!await _authService.AuthorizeAsync(_principal, Policy)) ASP.NET Core 1.x
if (!(await _authService.AuthorizeAsync(_principal, Policy)).Succeeded)
output.SuppressOutput();
}
}
用法
<li policy="testPolicy"><a asp-controller="Admin" asp-action="Index">Admin</a></li>
这是 ASP Core 中的重大改进之一,您可以将标识注入启动文件中的所有页面:
@if (User.IsInRole("Admin"))
{
<p>
<a asp-action="Create" asp-controller="MyController">Create New</a>
</p>
}
在Startup.cs中:
services.AddIdentity<ApplicationUser, IdentityRole>()
编辑: 好吧,我误读了 post,你已经知道了 :) - 如果有人可以使用它,我无论如何都会留下它。