不同角色的不同 API 功能
Different API functionality for different roles
我有 API 和 asp.net 核心 2.1。基于声明的身份验证。是否可以将这两个 api 功能合二为一?
[Authorize(Roles = "Admin")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
[Authorize]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
var id = int.Parse(User.FindFirst(ClaimTypes.NameIdentifier).Value);
if (_itemService.IsAuthor(id))
{
_itemService.Delete(item.Id);
return Ok();
}
return Forbid();
}
或者我应该只检查方法中的角色?
为了检查用户是 Admin 还是 Author 的权限,您可以将 multiple requirements 实现为来自@user2884707bond 的文档。
将 multiple requrements 用于您的方案。
您可以按照以下步骤操作:
PermissionHandler.cs
public class PermissionHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ReadPermission)
{
if (IsOwner(context.User, context.Resource) ||
IsAdmin(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
else if (requirement is EditPermission ||
requirement is DeletePermission)
{
if (IsOwner(context.User, context.Resource))
{
context.Succeed(requirement);
}
}
}
return Task.CompletedTask;
}
private bool IsAdmin(ClaimsPrincipal user, object resource)
{
if (user.IsInRole("Admin"))
{
return true;
}
return false;
}
private bool IsOwner(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
private bool IsSponsor(ClaimsPrincipal user, object resource)
{
// Code omitted for brevity
return true;
}
}
要求
public class ReadPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class EditPermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
public class DeletePermission : IAuthorizationRequirement
{
// Code omitted for brevity
}
在Startup.cs
中注册Requirement
services.AddAuthorization(options =>
{
options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission()));
});
services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
使用
[Authorize(Policy = "Read")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
我有 API 和 asp.net 核心 2.1。基于声明的身份验证。是否可以将这两个 api 功能合二为一?
[Authorize(Roles = "Admin")]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
_itemService.Delete(item.Id);
return Ok();
}
[Authorize]
[HttpPost("delete")]
public IActionResult Delete([FromBody]Item item)
{
var id = int.Parse(User.FindFirst(ClaimTypes.NameIdentifier).Value);
if (_itemService.IsAuthor(id))
{
_itemService.Delete(item.Id);
return Ok();
}
return Forbid();
}
或者我应该只检查方法中的角色?
为了检查用户是 Admin 还是 Author 的权限,您可以将 multiple requirements 实现为来自@user2884707bond 的文档。
将 multiple requrements 用于您的方案。
您可以按照以下步骤操作:
PermissionHandler.cspublic class PermissionHandler : IAuthorizationHandler { public Task HandleAsync(AuthorizationHandlerContext context) { var pendingRequirements = context.PendingRequirements.ToList(); foreach (var requirement in pendingRequirements) { if (requirement is ReadPermission) { if (IsOwner(context.User, context.Resource) || IsAdmin(context.User, context.Resource)) { context.Succeed(requirement); } } else if (requirement is EditPermission || requirement is DeletePermission) { if (IsOwner(context.User, context.Resource)) { context.Succeed(requirement); } } } return Task.CompletedTask; } private bool IsAdmin(ClaimsPrincipal user, object resource) { if (user.IsInRole("Admin")) { return true; } return false; } private bool IsOwner(ClaimsPrincipal user, object resource) { // Code omitted for brevity return true; } private bool IsSponsor(ClaimsPrincipal user, object resource) { // Code omitted for brevity return true; } }要求
public class ReadPermission : IAuthorizationRequirement { // Code omitted for brevity } public class EditPermission : IAuthorizationRequirement { // Code omitted for brevity } public class DeletePermission : IAuthorizationRequirement { // Code omitted for brevity }在
中注册Startup.csRequirementservices.AddAuthorization(options => { options.AddPolicy("Read", policy => policy.AddRequirements(new ReadPermission())); }); services.AddSingleton<IAuthorizationHandler, PermissionHandler>();使用
[Authorize(Policy = "Read")] [HttpPost("delete")] public IActionResult Delete([FromBody]Item item) { _itemService.Delete(item.Id); return Ok(); }