比如需要操作某一张表league的数据,multi-tenancy的模式,每一行数据都有一个租户id的字段。

那么在api调用操作的时候,我们需要检查league的id,是否和当前用户所属的租户信息一致。防止传递了假信息。处理越权访问的问题。

Understanding Action Filters

The goal of this tutorial is to explain action filters. An action filter is an attribute that you can apply to a controller action -- or an entire controller -- that modifies the way in which the action is executed. The ASP.NET MVC framework includes several action filters:

  • OutputCache – This action filter caches the output of a controller action for a specified amount of time.
  • HandleError – This action filter handles errors raised when a controller action executes.
  • Authorize – This action filter enables you to restrict access to a particular user or role.

You also can create your own custom action filters. For example, you might want to create a custom action filter in order to implement a custom authentication system. Or, you might want to create an action filter that modifies the view data returned by a controller action.

In this tutorial, you learn how to build an action filter from the ground up. We create a Log action filter that logs different stages of the processing of an action to the Visual Studio Output window.

The Base ActionFilterAttribute Class

In order to make it easier for you to implement a custom action filter, the ASP.NET MVC framework includes a base ActionFilterAttribute class. This class implements both the IActionFilter and IResultFilter interfaces and inherits from the Filter class.

The terminology here is not entirely consistent. Technically, a class that inherits from the ActionFilterAttribute class is both an action filter and a result filter. However, in the loose sense, the word action filter is used to refer to any type of filter in the ASP.NET MVC framework.

The base ActionFilterAttribute class has the following methods that you can override:

  • OnActionExecuting – This method is called before a controller action is executed.
  • OnActionExecuted – This method is called after a controller action is executed.
  • OnResultExecuting – This method is called before a controller action result is executed.
  • OnResultExecuted – This method is called after a controller action result is executed.

In the next section, we'll see how you can implement each of these different methods.

针对数据越权操作,进行数据的权限检查

public class LeaguePermissionActionFilter : ActionFilterAttribute

    {

        /// <summary>

        /// This method is called before a controller action is executed.

        /// </summary>

        /// <param name="filterContext"></param>

        public override void OnActionExecuting(ActionExecutingContext filterContext)

        {

            var parameterName = "model";

            var parameter = filterContext.ActionParameters[parameterName];

            LeagueTableBaseDtoModel model = parameter as LeagueTableBaseDtoModel;

            var permissionCheckResult = PermissionCheckHelper.PermissionCheckByLeagueTableId(model.LeagueTableId);

            if (permissionCheckResult.Status == OperationStatus.Failed)

            {

                filterContext.Result =

                    new HttpStatusCodeResult(HttpStatusCode.Forbidden, permissionCheckResult.Message);

            }

            base.OnActionExecuting(filterContext);

        }

    }

参数检查不合格,进行页面跳转

Redirect From Action Filter Attribute

 

Set filterContext.Result

With the route name:

filterContext.Result = new RedirectToRouteResult("SystemLogin", routeValues);

You can also do something like:

filterContext.Result = new ViewResult

{

    ViewName = SharedViews.SessionLost,

    ViewData = filterContext.Controller.ViewData

};

If you want to use RedirectToAction:

You could make a public RedirectToAction method on your controller (preferably on its base controller) that simply calls the protected RedirectToAction from System.Web.Mvc.Controller. Adding this method allows for a public call to your RedirectToAction from the filter.

public new RedirectToRouteResult RedirectToAction(string action, string controller)

{

    return base.RedirectToAction(action, controller);

}

Then your filter would look something like:

public override void OnActionExecuting(ActionExecutingContext filterContext)

{

    var controller = (SomeControllerBase) filterContext.Controller;

    filterContext.Result = controller.RedirectToAction("index", "home");

}

参数检查  不跳转400,直接返回json result

返回的结果是jsonresult

 protected override void OnActionExecuting(ActionExecutingContext filterContext)

        {

            var modelState = filterContext.Controller.ViewData.ModelState;

            if (!modelState.IsValid)

            {

                var httpResponseBase = filterContext.HttpContext.Response;

                httpResponseBase.StatusCode = (int) HttpStatusCode.BadRequest;

                httpResponseBase.StatusDescription = "Invalid Model State";

                var errorMessage = ModelState.Values.First(v => v.Errors.Count > ).Errors[].ErrorMessage;

                LogUtil.CreateLog(LogLevel.Error, errorMessage);

                filterContext.Result = new JsonResult

                {

                    Data = new ReturnMessage

                    {

                        Status = OperationStatus.Failed,

                        Message = errorMessage

                    }

                };

            }

            base.OnActionExecuting(filterContext);

        }

Understanding Action Filters (C#) 可以用来做权限检查的更多相关文章

  1. asp.net 使用IHttpModule 做权限检查 登录超时检查(转)

    IHttpModule 权限 检查 登录超时检查 这样就不需要每个页面都做一次检查 也不需要继承任何父类. using System;using System.Collections.Generic; ...

  2. Action Filters for ASP.NET MVC

    本文主要介绍ASP.NET MVC中的Action Filters,并通过举例来呈现其实际应用. Action Filters 可以作为一个应用,作用到controller action (或整个co ...

  3. 【Spring】5、利用自定义注解在SpringMVC中实现自定义权限检查

    转自:http://www.tuicool.com/articles/6z2uIvU 先描述一下应用场景,基于Spring MVC的WEB程序,需要对每个Action进行权限判断,当前用户有权限则允许 ...

  4. Mysql 存储过程、函数、触发器和视图的权限检查

    当存储过程.函数.触发器和视图创建后,不单单创建者要执行,其它用户也可能需要执行,换句话说,执行者有可能不是创建者本身,那么在执行存储过程时,MySQL是如何做权限检查的? 在默认情况下,MySQL将 ...

  5. 使用before_request来做权限和用户检查

    因为使用restful方式,因此每次用户访问都会上传带入auth_key,如jwt等,因此可在@app.before_request中做权限的检查. @app.app.before_request d ...

  6. mvc通过ActionFilterAttribute做登录检查

    1.0 创建Attribute using System; using System.Collections.Generic; using System.Linq; using System.Web; ...

  7. Laravel5做权限管理

    关于权限管理的思考 最近用laravel设计后台,后台需要有个权限管理.权限管理实质上分为两个部分,首先是认证,然后是权限.认证部分非常好做,就是管理员登录,记录session.这个laravel中也 ...

  8. 理解ASP.NET MVC Framework Action Filters

    原文:http://www.cnblogs.com/darkdawn/archive/2009/03/13/1410477.html 本指南主要解释action filters,action filt ...

  9. MVC用户登陆验证及权限检查(Form认证)

    1.配置Web.conf,使用Form认证方式   <system.web>     <authentication mode="None" />      ...

随机推荐

  1. Django使用Redis进行缓存详细最全流程

    背景和意义服务器数据非经常更新.若每次都从硬盘读取一次,浪费服务器资源.拖慢响应速度.而且数据更新频率较高,服务器负担比较大.若保存到数据库,还需要额外建立一张对应的表存储数据.在Django中建立表 ...

  2. Flask之DButils

    一.简介 在使用pymysql时遇到一些问题,就是当用户访问过多时,pymysql它同一时间只能处理一个线程.大大的降低了效率,对此我们基于DBUtils实现数据链接池. 二.安装与使用 创建数据库连 ...

  3. Centos7启动流程及systemd中Nginx启动配置

    Centos7启动流程: 1.post(Power-On-Self-Test) 加电自检 主要实现的功能是检测各个外围硬件设备是否存在而且能够正常运行起来,实现这一自检功能的是固化在主板上的ROM(主 ...

  4. Django admin 页面中文名称加s,去除s的设置

    class UserInfo(models.Model): #字段 #字段 #字段 class Meta: verbose_name_plural = '用户列表'

  5. sklearn 翻译笔记:KNeighborsClassifier

    今天做机器学习knn的实现想使用sklearn这个模块,但是里面的函数不懂,无奈只能查文档,但是一大片英文看见我就烦,也不是说不能看  但是以我低下的英语水平实在是太费劲了.幸好找到一篇前人翻译的比较 ...

  6. String/StringBuffer

    1. 将String中的空格替换成 %20 public class ReplaceBlank { public static void main(String[] args) { String st ...

  7. redis 设置密码并运行外部连接

    redis默认是不能远程访问的,如果希望多台机子共用redis数据库,那就需要开启redis远程连接访问.既然可以远程连接了,那就需要密码登陆,否则不安全.下面是具体的方法,按照步骤一步一步来就OK了 ...

  8. Spark-2.3.2 HBase BulkLoad

    在大量数据需要写入HBase时,通常有Put方式和BulkLoad两种方式. Put不做解释. BulkLoader方式的优势在于: 1.不会触发WAL预写日志,当表还没有数据时进行数据导入不会产生F ...

  9. 关于JDBCUtils的模糊查询问题

    1.JDBCUtils的模糊查询问题解决方法 数据库jdbc工具类的模糊查询最核心的就是用like %内容%,但是我们对于界面输入进来的东西都是用?来替代的,那么就代表着我们不能吧%%写在问号旁边.否 ...

  10. LG4213 【模板】杜教筛(Sum)和 BZOJ4916 神犇和蒟蒻

    P4213 [模板]杜教筛(Sum) 题目描述 给定一个正整数$N(N\le2^{31}-1)$ 求 $$ans_1=\sum_{i=1}^n\varphi(i)$$ $$ans_2=\sum_{i= ...