最近在把之前WEB FORM的应用改成MVC架构的。用到了MVC 4.0,但是又不想用自带的权限管理。于是自己写了一个ActionFilter来实现权限控制。原理如下:
1,首先,在登陆页面存储用户Session。
[HttpGet]
public ActionResult Login(String returnUrl)
{
DAL.m_announcement dal_m_announcement = new DAL.m_announcement();
List m_announcement_list = dal_m_announcement.GetListModelByPage(true);
try
{
//Remember me login.
DAL.z_user dal_user = new DAL.z_user();
if (Request.Cookies["YourAppLogin"] != null)
{
string userAccount = Request.Cookies["YourAppLogin"].Values["loginUserAccount"];
if (userAccount != null)
{
Common.Encrypt Encrypt = new Common.Encrypt();
Models.z_user model_z_user = dal_user.GetLoginModel(Encrypt.DecryptString(userAccount.Trim()));
if (model_z_user != null)
{
DAL.z_menu dal_z_menu = new DAL.z_menu();
List z_menu_list = dal_z_menu.GetMenuModelListByUserID(model_z_user.ID);
Session.Add("loginUserMenuList", z_menu_list);
Session.Add("loginUserModel", model_z_user);
if (!String.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
}
}
ViewBag.errorMessage = "请先登录...";
return View(m_announcement_list);
}
catch
{
ViewBag.errorMessage = "请先登录...";
return View(m_announcement_list);
}
}
2,然后新建一个名为AuthenticationAttribute的ActionFilterAttribute,在Filters目录。根据Session和数据库中的用户权限判断是否有权限访问。如果没有权限则跳转到相应提示页面。代码如下:
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
Models.z_user model_z_user = (Models.z_user)filterContext.HttpContext.Session["loginUserModel"];
List z_menu_list = (List)filterContext.HttpContext.Session["loginUserMenuList"];
if (model_z_user != null && z_menu_list != null)
{
//检查是否有权限
String controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
Boolean hasPermission = false;
foreach (Models.z_menu item in z_menu_list)
{
if (item.VALUE.IndexOf("/" + controllerName) == 0)
{
hasPermission = true;
}
}
if (hasPermission)
{
filterContext.Controller.ViewBag.model_z_user = model_z_user;
filterContext.Controller.ViewBag.z_menu_list = z_menu_list;
}
else
{
//没有权限
filterContext.Result = new ViewResult
{
ViewName = "NoPermission",
ViewData = filterContext.Controller.ViewData
};
}
//检查是否有权限
}
else //Session lost
{
//Remember me login.
if (filterContext.HttpContext.Request.Cookies["YourAppLogin"] != null)
{
DAL.z_user dal_user = new DAL.z_user();
string userAccount = filterContext.HttpContext.Request.Cookies["YourAppLogin"].Values["loginUserAccount"];
if (userAccount != null)
{
Common.Encrypt Encrypt = new Common.Encrypt();
model_z_user = dal_user.GetLoginModel(Encrypt.DecryptString(userAccount.Trim()));
if (model_z_user != null)
{
DAL.z_menu dal_z_menu = new DAL.z_menu();
z_menu_list = dal_z_menu.GetMenuModelListByUserID(model_z_user.ID);
filterContext.HttpContext.Session.Remove("loginUserMenuList");
filterContext.HttpContext.Session.Remove("loginUserModel");
filterContext.HttpContext.Session.Add("loginUserMenuList", z_menu_list);
filterContext.HttpContext.Session.Add("loginUserModel", model_z_user);
//检查是否有权限
String controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
Boolean hasPermission = false;
foreach (Models.z_menu item in z_menu_list)
{
if (item.VALUE.IndexOf("/" + controllerName) == 0)
{
hasPermission = true;
}
}
if (hasPermission)
{
filterContext.Controller.ViewBag.model_z_user = model_z_user;
filterContext.Controller.ViewBag.z_menu_list = z_menu_list;
}
else
{
//没有权限
filterContext.Result = new ViewResult
{
ViewName = "NoPermission",
ViewData = filterContext.Controller.ViewData
};
}
//检查是否有权限
}
}
}
else //没有session也没有cookies
{
filterContext.Result = new ViewResult
{
ViewName = "SessionLost",
ViewData = filterContext.Controller.ViewData
};
}
}
base.OnActionExecuting(filterContext);
}
3,最后在每个需要验证的Action上面加上这个Filter就行了。以后每执行这个Action或者Controller之前都会执行AuthenticationAttribute里面的内容。
[Authentication]
public class UserController : Controller
{
//代码
}
[HttpPost]
[Authentication]
public ActionResult MyAccount(FormCollection collection)
{
//代码
}