-
View Based Authorization¶ 基于视图的授权
44 of 46 people found this helpfulOften a developer will want to show, hide or otherwise modify a UI based on the current user identity. You can access the authorization service within MVC views via dependency injection. To inject the authorization service into a Razor view use the
@inject
directive, for example@inject IAuthorizationService AuthorizationService
. If you want the authorization service in every view then place the@inject
directive into the_ViewImports.cshtml
file in theViews
directory. For more information on dependency injection into views see Dependency injection into views. - 开发者经常需要根据当前用户的身份来确定是否展示、隐藏或者是否修改一个页面。你可以通过依赖注入在MVC的视图中使用授权服务。要将授权服务注入Razor视图就要使用@inject 命令,例如@inject IAuthorizationService AuthorizationService。 如果想在左右视图中使用授权服务,就把
@inject
命令放置于Views目录内的_ViewImports.cshtml文件中。 更多的依赖注入到视图的信息,请参看Dependency injection into views。
Once you have injected the authorization service you use it by calling the
AuthorizeAsync
method in exactly the same way as you would check during resource based authorization.-
一旦将授权服务注入后,就可通过调用
AuthorizeAsync
方法来使用了,就和resource based authorization(基于资源的授权)中进行的检查一模一样。@if (await AuthorizationService.AuthorizeAsync(User, "PolicyName"))
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}In some cases the resource will be your view model, and you can call
AuthorizeAsync
in exactly the same way as you would check during resource based authorization; -
在某些情况下,资源就是你的视图模型,可通过与resource based authorization(基于资源的授权)中一样的方法来调用
AuthorizeAsync
。@if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
{
<p><a class="btn btn-default" role="button"
href="@Url.Action("Edit", "Document", new { id = Model.Id })">Edit</a></p>
} Here you can see the model is passed as the resource authorization should take into consideration.
-
在这里,您可以看到该模型被作为资源授权而传递了。
Warning 注意
Do not rely on showing or hiding parts of your UI as your only authorization method. Hiding a UI element does not mean a user cannot access it. You must also authorize the user within your controller code.
不要依赖于显示或隐藏你的用户界面的部分作为你唯一的授权方法。隐藏一个用户界面元素并不意味着用户无法访问它。您还必须授权您的控制器代码中的用户。
相关文章
- 07-29Django——基于类的视图源码分析 一
- 07-29SQL 数据查询(5)—— 集合查询、基于派生表的查询、数据更新、视图
- 07-2920210418SQL基于视图的操作
- 07-29Spring Security与XACML集成(或任何其他基于策略的解决方案)
- 07-29Spring Security 解析(六) —— 基于JWT的单点登陆(SSO)开发及原理解析
- 07-29基于Spring Security Oauth2的SSO单点登录+JWT权限控制实践
- 07-29Spring Security 实战干货:客户端OAuth2授权请求的入口
- 07-29springboot中使用Spring Security 之认证授权注解的使用(三)
- 07-29H3C防火墙基于object-policy(对象策略) 和 security-policy(安全策略)的配置
- 07-29H3C防火墙基于object-policy(对象策略) 和 security-policy(安全策略)的配置