最近在把之前WEB FORM的应用改成MVC架构的。用到了MVC 4.0,但是又不想用自带的权限管理。于是自己写了一个ActionFilter来实现权限控制。原理如下:
1,首先,在登陆页面存储用户Session。
[HttpGet] public ActionResult Login(String returnUrl) { DAL.m_announcement dal_m_announcement = new DAL.m_announcement(); Listm_announcement_list = dal_m_announcement.GetListModelByPage(true); try { //Remember me login. DAL.z_user dal_user = new DAL.z_user(); if (Request.Cookies["YourAppLogin"] != null) { string userAccount = Request.Cookies["YourAppLogin"].Values["loginUserAccount"]; if (userAccount != null) { Common.Encrypt Encrypt = new Common.Encrypt(); Models.z_user model_z_user = dal_user.GetLoginModel(Encrypt.DecryptString(userAccount.Trim())); if (model_z_user != null) { DAL.z_menu dal_z_menu = new DAL.z_menu(); List z_menu_list = dal_z_menu.GetMenuModelListByUserID(model_z_user.ID); Session.Add("loginUserMenuList", z_menu_list); Session.Add("loginUserModel", model_z_user); if (!String.IsNullOrEmpty(returnUrl)) { return Redirect(returnUrl); } else { return RedirectToAction("Index", "Home"); } } } } ViewBag.errorMessage = "请先登录..."; return View(m_announcement_list); } catch { ViewBag.errorMessage = "请先登录..."; return View(m_announcement_list); } }
2,然后新建一个名为AuthenticationAttribute的ActionFilterAttribute,在Filters目录。根据Session和数据库中的用户权限判断是否有权限访问。如果没有权限则跳转到相应提示页面。代码如下:
public override void OnActionExecuting(ActionExecutingContext filterContext) { Models.z_user model_z_user = (Models.z_user)filterContext.HttpContext.Session["loginUserModel"]; Listz_menu_list = (List )filterContext.HttpContext.Session["loginUserMenuList"]; if (model_z_user != null && z_menu_list != null) { //检查是否有权限 String controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName; Boolean hasPermission = false; foreach (Models.z_menu item in z_menu_list) { if (item.VALUE.IndexOf("/" + controllerName) == 0) { hasPermission = true; } } if (hasPermission) { filterContext.Controller.ViewBag.model_z_user = model_z_user; filterContext.Controller.ViewBag.z_menu_list = z_menu_list; } else { //没有权限 filterContext.Result = new ViewResult { ViewName = "NoPermission", ViewData = filterContext.Controller.ViewData }; } //检查是否有权限 } else //Session lost { //Remember me login. if (filterContext.HttpContext.Request.Cookies["YourAppLogin"] != null) { DAL.z_user dal_user = new DAL.z_user(); string userAccount = filterContext.HttpContext.Request.Cookies["YourAppLogin"].Values["loginUserAccount"]; if (userAccount != null) { Common.Encrypt Encrypt = new Common.Encrypt(); model_z_user = dal_user.GetLoginModel(Encrypt.DecryptString(userAccount.Trim())); if (model_z_user != null) { DAL.z_menu dal_z_menu = new DAL.z_menu(); z_menu_list = dal_z_menu.GetMenuModelListByUserID(model_z_user.ID); filterContext.HttpContext.Session.Remove("loginUserMenuList"); filterContext.HttpContext.Session.Remove("loginUserModel"); filterContext.HttpContext.Session.Add("loginUserMenuList", z_menu_list); filterContext.HttpContext.Session.Add("loginUserModel", model_z_user); //检查是否有权限 String controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName; Boolean hasPermission = false; foreach (Models.z_menu item in z_menu_list) { if (item.VALUE.IndexOf("/" + controllerName) == 0) { hasPermission = true; } } if (hasPermission) { filterContext.Controller.ViewBag.model_z_user = model_z_user; filterContext.Controller.ViewBag.z_menu_list = z_menu_list; } else { //没有权限 filterContext.Result = new ViewResult { ViewName = "NoPermission", ViewData = filterContext.Controller.ViewData }; } //检查是否有权限 } } } else //没有session也没有cookies { filterContext.Result = new ViewResult { ViewName = "SessionLost", ViewData = filterContext.Controller.ViewData }; } } base.OnActionExecuting(filterContext); }
3,最后在每个需要验证的Action上面加上这个Filter就行了。以后每执行这个Action或者Controller之前都会执行AuthenticationAttribute里面的内容。
[Authentication] public class UserController : Controller { //代码 } [HttpPost] [Authentication] public ActionResult MyAccount(FormCollection collection) { //代码 }