ASP.NET MVC4 权限验证
在ASP.NET MVC4 中继承ActionFilterAttribute 类,重写OnActionExecuting方法
/// <summary> /// 权限拦截 /// </summary> [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)] public class PermissionFilterAttribute : ActionFilterAttribute { /// <summary> /// 权限拦截 /// </summary> /// <param name="filterContext"></param> public override void OnActionExecuting(ActionExecutingContext filterContext) { //权限拦截是否忽略 bool IsIgnored = false; if (filterContext == null) { throw new ArgumentNullException("filterContext"); } var path = filterContext.HttpContext.Request.Path.ToLower(); //获取当前配置保存起来的允许页面 IList<string> allowPages = ConfigSettings.GetAllAllowPage(); foreach (string page in allowPages) { if (page.ToLower() == path) { IsIgnored = true; break; } } if (IsIgnored) return; //接下来进行权限拦截与验证 object[] attrs = filterContext.ActionDescriptor.GetCustomAttributes(typeof(ViewPageAttribute), true); var isViewPage = attrs.Length == 1;//当前Action请求是否为具体的功能页 if (this.AuthorizeCore(filterContext) == false)//根据验证判断进行处理 { //注:如果未登录直接在URL输入功能权限地址提示不是很友好;如果登录后输入未维护的功能权限地址,那么也可以访问,这个可能会有安全问题 if (isViewPage == true) { //跳转到登录页面 filterContext.RequestContext.HttpContext.Response.Redirect("~/Admin/Manage/UserLogin"); } else { object[] attrsUIException = filterContext.ActionDescriptor.GetCustomAttributes(typeof(LigerUIExceptionResultAttribute), true); if (attrsUIException.Length == 1) { filterContext.Result = new FormatJsonResult() { IsError=true, Data=null,Message="您没有权限执行此操作!" };//功能权限弹出提示框 } else filterContext.RequestContext.HttpContext.Response.Redirect("~/Admin/Manage/Error"); } } } /// <summary> /// [Anonymous标记]验证是否匿名访问 /// </summary> /// <param name="filterContext"></param> /// <returns></returns> public bool CheckAnonymous(ActionExecutingContext filterContext) { //验证是否是匿名访问的Action object[] attrsAnonymous = filterContext.ActionDescriptor.GetCustomAttributes(typeof(AnonymousAttribute), true); //是否是Anonymous var Anonymous = attrsAnonymous.Length == 1; return Anonymous; } /// <summary> /// [LoginAllowView标记]验证是否登录就可以访问(如果已经登陆,那么不对于标识了LoginAllowView的方法就不需要验证了) /// </summary> /// <param name="filterContext"></param> /// <returns></returns> public bool CheckLoginAllowView(ActionExecutingContext filterContext) { //在这里允许一种情况,如果已经登陆,那么不对于标识了LoginAllowView的方法就不需要验证了 object[] attrs = filterContext.ActionDescriptor.GetCustomAttributes(typeof(LoginAllowViewAttribute), true); //是否是LoginAllowView var ViewMethod = attrs.Length == 1; return ViewMethod; } /// <summary> /// //权限判断业务逻辑 /// </summary> /// <param name="filterContext"></param> /// <param name="isViewPage">是否是页面</param> /// <returns></returns> protected virtual bool AuthorizeCore(ActionExecutingContext filterContext) { if (filterContext.HttpContext == null) { throw new ArgumentNullException("httpContext"); } //验证当前Action是否是匿名访问Action if (CheckAnonymous(filterContext)) return true; //未登录验证 if (SessionHelper.Get("UserID") == null) { return false; } //验证当前Action是否是登录就可以访问的Action if (CheckLoginAllowView(filterContext)) return true; //下面开始用户权限验证 var user = new UserService(); SysCurrentUser CurrentUser = new SysCurrentUser(); var controllerName = filterContext.RouteData.Values["controller"].ToString(); var actionName = filterContext.RouteData.Values["action"].ToString(); //如果是超级管理员,直接允许 if (CurrentUser.UserID == ConfigSettings.GetAdminUserID()) { return true; } //如果拥有超级管理员的角色就默认全部允许 string AdminUserRoleID = ConfigSettings.GetAdminUserRoleID().ToString(); //检查当前角色组有没有超级角色 if (Tools.CheckStringHasValue(CurrentUser.UserRoles, ',', AdminUserRoleID)) { return true; } //Action权限验证 if (controllerName.ToLower() != "manage")//如果当前Action请求为具体的功能页并且不是Manage中 Index页和Welcome页 { //验证 if (!user.RoleHasOperatePermission(CurrentUser.UserRoles, controllerName, actionName))//如果验证该操作是否拥有权限 { return false; } } //管理页面直接允许 return true; } } }